b"                                                                               Issue Date\n                                                                                    November 16, 2009\n                                                                                \xef\x80\xa0\n                                                                               Audit Case Number\n                                                                                    2010-FO-0003\n\n\n\n\nTO:             Anthony P. Scardino, Acting Deputy Chief Financial Officer, F\n\n\n\n\nFROM:           Thomas R. McEnanly, Director, Financial Audits Division, GAF\n\nSUBJECT: Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2009 and\n         2008 Financial Statements\n\n                                           HIGHLIGHTS\n\n What We Audited and Why\n\n                 We are required to annually audit the consolidated financial statements of the U.S.\n                 Department of Housing and Urban Development (HUD) in accordance with the\n                 Chief Financial Officers Act of 1990, as amended. Our report on HUD\xe2\x80\x99s fiscal\n                 years 2009 and 2008 financial statements are included in HUD\xe2\x80\x99s Fiscal Year 2009\n                 Performance and Accountability Report. This report supplements our report on\n                 the results of our audit of HUD\xe2\x80\x99s principal financial statements for the fiscal years\n                 ending September 30, 2009, and September 30, 2008. Also provided are\n                 assessments of HUD\xe2\x80\x99s internal controls and our findings with respect to HUD\xe2\x80\x99s\n                 compliance with applicable laws, regulations, and government-wide policy\n                 requirements and provisions of contracts and grant agreements.1 In addition, we\n\n    1\n       Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included\nin this report but are included in the accounting firm of Urbach Kahn and Werlin LLP\xe2\x80\x99s audit of FHA\xe2\x80\x99s financial\nstatements. That report has been published in our report, Audit of Federal Housing Administration Financial\nStatements for Fiscal Years 2009 and 2008 (2010-FO-0002, dated November 13, 2009).\n\n    Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD\ncomponent, are not included in this report but are included in the accounting firm of Carmichael Brasher Tuvell and\nCompany\xe2\x80\x99s audit of Ginnie Mae\xe2\x80\x99s financial statements. That report has been published in our report, Audit of\nGovernment National Mortgage Association Financial Statements for Fiscal Years 2009 and 2008 (2010-FO-0001),\ndated November 06, 2009).\n\x0c         plan to issue a letter to management on or before January 16, 2010, describing\n         other issues of concern that came to our attention during the audit.\n\n\nWhat We Found\n\n\n                In our opinion, HUD\xe2\x80\x99s fiscal years 2009 and 2008 financial statements\n                were fairly presented. Our opinion on HUD\xe2\x80\x99s fiscal years 2009 and 2008\n                financial statements is reported in HUD\xe2\x80\x99S Fiscal Year 2009 Performance\n                and Accountability Report. The other auditors and our audit also\n                disclosed the following 11 significant deficiencies in internal controls\n                related to the need to:\n\n            \xef\x80\xad Adequately monitor Office of Community Planning and Development\n              (CPD) grantees\xe2\x80\x99 compliance with program regulations;\n            \xef\x80\xad Continue improvements in the oversight and monitoring of subsidy\n              calculations, intermediaries\xe2\x80\x99 program performance, and Housing Choice\n              Voucher program funds;\n            \xef\x80\xad Improve the processes for reviewing obligation balances;\n            \xef\x80\xad Comply with Federal financial management systems requirements;\n            \xef\x80\xad Further strengthen controls over HUD\xe2\x80\x99s computing environment;\n            \xef\x80\xad Improve personnel security practices for access to the Department\xe2\x80\x99s\n              critical financial systems;\n            \xef\x80\xad Strengthen the Government National Mortgage Association\xe2\x80\x99s (Ginnie\n              Mae) monitoring and management controls in regard to the Mortgage-\n              Backed Securities program;\n            \xef\x80\xad Implement short-term capacity management plans for Federal Housing\n              Administration (FHA) systems;\n            \xef\x80\xad Effect FHA modernization to address system risks;\n            \xef\x80\xad Address increased risk to management\xe2\x80\x99s estimate of the Loan Guarantee\n              Liability brought about by economic conditions and inherent model\n              design risks; and\n            \xef\x80\xad Enhance user access management processes for the FHA subsidiary\n              ledger.\n\n         Our findings include the following four instances of noncompliance with\n         applicable laws and regulations:\n\n            \xef\x80\xad HUD did not substantially comply with the Federal Financial Management\n              Improvement Act regarding system requirements;\n            \xef\x80\xad HUD did not substantially comply with the Antideficiency Act;\n            \xef\x80\xad FHA\xe2\x80\x99s Mutual Mortgage Insurance fund capitalization was not maintained\n              at a minimum capital ratio of two percent, which is required under the\n              Cranston-Gonzalez National Affordable Housing Act of 1990; and\n            \xef\x80\xad Ginnie Mae did not comply with the Federal Information Management\n              Security Act.\n\n\n                                          2\n\x0c          The audit also identified $199.1 million in excess obligations recorded in HUD\xe2\x80\x99s\n          records. We also are recommending that HUD seek legislative authority to\n          implement $ 317 million in offsets against public housing agencies\xe2\x80\x99 (PHA) excess\n          unusable funding held in Net Restricted Assets Accounts at the PHAs. These\n          amounts represent funds that HUD could put to better use.\n\nWhat We Recommend\n\n\n          Most of the issues described in this report represent long-standing weaknesses.\n          We understand that implementing sufficient change to mitigate these matters is a\n          multiyear task due to the complexity of the issues, insufficient information,\n          technology systems funding, and other impediments to change. In this and in\n          prior years\xe2\x80\x99 audits of HUD\xe2\x80\x99s financial statements, we have made\n          recommendations to HUD\xe2\x80\x99s management to address these issues. Our\n          recommendations from the current audit, as well as those from prior years\xe2\x80\x99 audits\n          that remain open, are listed in appendix B of this report.\n\n          For each recommendation without a management decision, please respond and\n          provide status reports in accordance with HUD Handbook 2000.06, REV-3.\n\n\nHUD\xe2\x80\x99s Response\n\n\n          The complete text of the agency\xe2\x80\x99s response can be found in appendix E. This\n          response, along with additional informal comments, was considered in preparing\n          the final version of this report.\n\n\n\n\n                                          3\n\x0c                             TABLE OF CONTENTS\n\n\n\nHighlights                                                                 1\n\nInternal Control                                                           5\n\nCompliance With Laws and Regulations                                      39\n\nAppendixes\n   A. Objectives, Scope, and Methodology                                  42\n   B. Recommendations                                                     45\n   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   50\n      Remedial Actions\n   D. Schedule of Questioned Costs and Funds To Be Put to Better Use      67\n   E. Agency Comments                                                     68\n   F. OIG Evaluation of Agency Comments                                   71\n\n\n\n\n                                        4\n\x0c                                   Internal Control\n\nSignificant Deficiency: Office of Community Planning and Development\n(CPD) Needs to Adequately Monitor Grantees\xe2\x80\x99 Compliance with Program\nRequirements\n\nCPD seeks to develop viable communities by promoting integrated approaches that provide\ndecent housing and a suitable living environment and expand economic opportunities for low-\nand moderate-income persons. The primary means toward this end is the development of\npartnerships among all levels of government and the private sector, including for-profit and\nnonprofit organizations. To carry out its mission, CPD utilizes a mixture of competitive and\nformula-based grants. Program offices have a responsibility to ensure that the funds provided\nare adequately monitored to ensure that programs are meeting their goals and objectives in\naccordance with program requirements.\n\nGrantee oversight is an ongoing process that assesses the quality of a program participant\xe2\x80\x99s\nperformance over a period of time. Monitoring provides information about program participants\nthat is critical for making informed judgments about program effectiveness and management\nefficiency. Consistent monitoring efforts also help to identify instances of fraud, waste, and\nabuse within HUD\xe2\x80\x99s programs and facilitate the correction of control deficiencies before they\nmaterially affect the achievement of the organization\xe2\x80\x99s objectives.\n\nBased upon our review of HUD\xe2\x80\x99s HOME, Community Development Block Grant (CDBG), and\nHomeless Assistance programs, we noted control deficiencies regarding monitoring of timely\nobligation and expenditure of grant funds. The combination of the control deficiencies we\nnoted during our audit have adversely affected the organization's ability to meet its internal\ncontrol objectives, which are to determine grantee compliance with applicable laws and\nregulations, to timely identify deficiencies, and to design corrective actions to improve or\nreinforce program participant performance.\n\n\n\n Compliance With Obligation Requirements by State\n CDBG Programs Not Consistently Monitored or Enforced\n\n\n\n              CPD did not consistently monitor and ensure that CDBG non-entitlement funds\n              were obligated and announced in accordance with the timeliness requirements in\n              the Code of Federal Regulations (CFR). Part 570 of the CFR requires that States\n              obligate and announce 100 percent of their annual grants (excluding State\n              administration) to units of general local government within 15 months of the State\n              signing its grant agreement with HUD.\n\n\n\n\n                                               5\n\x0c          CPD completed its latest timeliness review of obligations for grant years 2000-\n          2004 in 2006. It did not begin its review of the programs\xe2\x80\x99 timeliness requirement\n          for grant years 2005-2007 until September 2008, which is still ongoing. No\n          review had been performed for States that signed grant agreements in 2008.\n\n          The results of the review for grant years 2000-2004 were published in CPD\n          Notice 06-12, dated November 2, 2006. CPD\xe2\x80\x99s review revealed that for grant\n          years 2000-2004, 25 of 50 States had not met the 100 percent standard for\n          obligating and announcing their grants to the local governments within 15 months\n          of HUD\xe2\x80\x99s date of award for at least 1 of the years reviewed. We determined that\n          over the course of these 5 years, about $53 million was not distributed in a timely\n          manner. In our initial discussions, CPD was unsure of the follow-up and/or\n          remedial actions taken by the field offices regarding States that were in\n          noncompliance with the distribution requirements. Documentation was later\n          provided by CPD for a sample of 6 of the 25 States, indicating that field offices\n          did perform follow-up regarding their noncompliance.\n\n          CPD\xe2\x80\x99s policy is to review data from the Line of Credit Control System (LOCCS)\n          and the Grants Management Process (GMP) System within 15 months after the\n          beginning of each State\xe2\x80\x99s program year and request field offices to verify that\n          States have obligated and announced funds in compliance with the timely\n          distribution requirement. We found that the data used by CPD to determine\n          compliance with the timeliness requirements were sometimes incomplete or\n          contained errors. CPD\xe2\x80\x99s ability to monitor the obligation requirement appeared to\n          have been hampered because the data used to measure compliance with this\n          requirement were not maintained in one system. Officials added that the timely\n          distribution requirement was only one element subject to monitoring review and\n          may or may not have been included in any given monitoring review conducted by\n          a field office.\n\n          When States do not obligate and announce grant funds in a timely manner, units\n          of local government cannot make the most effective and efficient use of their\n          funding. In addition, noncompliance with the timely obligation requirement may\n          indicate that there are other performance issues within the State. As a result, a\n          State\xe2\x80\x99s annual funding amount for the following grant year may need to be\n          reduced or suspended.\n\n          We recommend that CPD follow existing policies and regulations regarding\n          annual review of the distribution requirements for the State program and followup\n          with remedial actions against States that are in noncompliance. In addition, we\n          recommend that the office ensure that the most complete and accurate data are\n          used to conduct the review and to consider modifying an existing system that\n          would create an automated process to house all of the data needed for the review.\n\n\n\nSubgrantees and Community Housing Development\nOrganizations for the HOME Program Do Not Always\nExpend Grant Funds in a Timely Manner\n\n                                           6\n\x0cThe HOME Expiring Funds Report maintained by the Office of Affordable\nHousing Programs, dated September 24, 2009, contained unexpended HOME\nInvestment Partnerships Program (HOME) funds on grants from 1992 through\n2001 that totaled $24.7 million. We found that these funds had accumulated\nmainly due to poorly performing community housing development organizations\n(CHDO) and subgrantees that did not expend funds in a timely manner. We also\nfound that these funds had accumulated due to the programs\xe2\x80\x99 cumulative\naccounting requirements that allow one grantee\xe2\x80\x99s poor performance within a\nparticipating jurisdiction to be hidden or go undiscovered.\n\nHOME program regulations state that funds that are not expended in a timely\nmanner can be reallocated in the next year\xe2\x80\x99s formula allocation to further the\nmission of the program. It is the field offices\xe2\x80\x99 responsibility to ensure that funds\nfrom fiscal years 2001 and earlier that were not spent in a timely manner are\nrecaptured and used in the next year\xe2\x80\x99s formula allocation.\n\nHOME program regulations do not penalize or highlight poorly performing\nsubgrantees or CHDOs for two reasons. First, the commitment, reservation, and\ndisbursement deadlines are determined on an aggregate/cumulative basis versus a\ngrant year basis. This process has created a situation in which older funds can\nremain available for drawdown because compliance with the disbursement\ndeadline is determined cumulatively. Therefore, if a subgrantee or CHDO is not\nperforming as it should, or not spending funds to complete its projects, the\ncumulative program requirements may allow one grantee\xe2\x80\x99s poor performance to\nbe hidden or go undiscovered.\n\nSecond, the funds that are subgranted or reserved to a CHDO are held to the five\nyear disbursement deadline, but it is the participating jurisdiction that is ultimately\nresponsible for meeting the disbursement deadline. Only the participating\njurisdiction can draw funds, not the subgrantee or CHDO. In addition, it appears\nthat the large number of subgrantees and CHDOs per participating jurisdiction\nwithin the HOME program makes it difficult for the field offices to sufficiently\nmonitor the status of subgranted funds.\n\nSince $24.7 million in HOME grant funds for fiscal years 2001 and earlier has\nbeen reserved or committed but not expended, these funds had not been used to\nexpand the supply of decent, safe, sanitary, and affordable housing for low- and\nvery low-income families.\n\nWe recommend that CPD ensure that field offices encourage participating\njurisdictions to review the Expiring Funds Report as well as the performance of\nCHDOs and subgrantees to determine whether the $24.7 million should be\ndeobligated. We also recommend that CPD develop a policy that would track\nexpenditure deadlines for funds reserved and committed to CHDOs and\nsubgrantees separately.\n\n\n\n                                  7\n\x0cFunds From Expired Contracts Not Always Recaptured\nfor Homeless Assistance Programs\n\n\n\n            Reports from HUD\xe2\x80\x99s Financial Data Mart show approximately $48 million in\n            undisbursed obligations recorded for expired contracts that were funded with\n            grants during 1997-2001 for homeless assistance programs. These contracts\n            expired on or before September 30, 2009. Of the $48 million, approximately $6\n            million relates to contracts that expired 90 days before the fiscal year-end. CPD\xe2\x80\x99s\n            Funds Control Plan allows a 90-day closeout period for expired contracts.\n\n            According to the Appropriations Law, these funds are available until expended\n            and do not return to the U.S. Treasury when the contracts expire. However, the\n            field offices are responsible for reviewing the status of contracts and\n            recommending that funds that have been obligated but not disbursed in the\n            appropriate timeframes be deobligated and included in the next year\xe2\x80\x99s Continuum\n            of Care competition to be redistributed to eligible grantees. The competitive\n            programs under homeless assistance include (1) Shelter Plus Care, (2) Supportive\n            Housing, and (3) Section 8 Moderate Rehabilitation Single Room Occupancy.\n\n            CPD officials stated that when a contract expires, the excess funding should be\n            locked, and the grantees should have no access to the funds. CPD has instructed\n            the field offices to review these contracts and recommend that the remaining\n            funds be recaptured. Special emphasis has been placed on this review process\n            before the annual funding competition. However, the field offices have been\n            overwhelmed with American Recovery and Reinvestment Act of 2009 (Recovery\n            Act) funding requirements and other requirements. As a result, many of these\n            expired contract reviews have not been performed.\n\n            In addition, it appears that it is difficult for CPD to consistently track contract\n            expiration dates because there is no report that shows all of the necessary\n            information. Project data from the Financial Data Mart must be merged with\n            LOCCS data because LOCCS stores the contract expiration dates.\n\n            The $42 million identified as excess funding on expired contracts can be included\n            in the next year\xe2\x80\x99s Continuum of Care competition as announced in the notice of\n            funding availability and redistributed to eligible grantees. The excess funds\n            should be recaptured and used to further accomplish the objectives of the\n            program, which are to reduce the incidence of homelessness in Continuum of\n            Care communities by assisting homeless individuals and families to move to self-\n            sufficiency and permanent housing.\n\n            We recommend that CPD develop a policy to ensure that an annual review of the\n            status of each of its homeless assistance contracts is conducted, which may\n            include recommending deobligation and recapture of excess funds when\n            applicable. To effectively track its homeless assistance program expiration dates,\n\n\n                                               8\n\x0c                we recommend that CPD develop the management reports needed to effectively\n                track its homeless assistance program expiration dates. We also recommend that\n                field offices review the status of the identified contracts and recapture up to the\n                $42 million identified in undisbursed obligations for expired contracts that were\n                funded with grants during 1997-2001 for homeless assistance programs and\n                consider such funds for inclusion in the fiscal year 2010 Continuum of Care\n                competition.\n\n\n    Completed Projects for the HOME\n    Program Not Always Closed Out in IDIS\n    in a Timely Manner\n\n\n                The Open Activities Report is issued monthly and used by CPD field offices and\n                participating jurisdictions within the HOME program to review open activities in\n                the Integrated Disbursement and Information System (IDIS). Open activities are\n                those that have not been closed in the system.\n\n                A review of HUD\xe2\x80\x99s Open Activities Report, dated August 31, 2009, showed\n                5,972 of 29,216 open activities (20 percent), in which the participating\n                jurisdiction had made its final draw but the activity was still listed on the Open\n                Activities Report. Thus, these projects had not been closed in the system\n                although all funds had been drawn. HOME program regulations require\n                participating jurisdictions to enter project completion information into IDIS\n                within 120 days of making a final draw for a project. A similar finding 2 was\n                reported by the Office of Inspector General (OIG) concerning HUD\xe2\x80\x99s needs to\n                improve efforts to require participating jurisdictions to cancel HOME fund\n                balances for open activities.\n\n                The Open Activities Report also allows participating jurisdictions to view\n                activities that have been open for several years with little or no HOME funds\n                drawn. Field offices can use this report as a desk-monitoring tool to view each\n                participating jurisdiction\xe2\x80\x99s open activities in need of completion or possibly\n                cancellation in IDIS. If the report indicates that funds have not been drawn for an\n                extended period, the field office can use the report to follow up with the\n                participating jurisdiction to determine the reason for the slow progress on the\n                project and whether it should be cancelled.\n\n                However, it appeared that the field offices were not using the Open Activities\n                Report to follow up with participating jurisdictions on slow-moving projects listed\n                on the report. It also appeared that participating jurisdictions were not using the\n                report as a reference to determine projects that should be cancelled or closed in\n                IDIS. The report was created to alleviate the widespread problem of participating\n                jurisdictions not entering project completion data into IDIS in a timely manner.\n\n2\n OIG audit report entitled \xe2\x80\x95HUD Lacked Adequate Controls to Ensure the Timely Commitment and Expenditure of\nHOME Funds (2009-AT-0001, dated September 28, 2009).\n\n\n                                                     9\n\x0c              Participating jurisdictions that do not enter completion data in a timely manner are\n              in violation of the HOME regulations. Failure to enter project completion data in\n              IDIS negatively affects a participating jurisdiction\xe2\x80\x99s score on several HOME\n              performance SNAPSHOTS indicators, understating actual accomplishments and\n              reducing the participating jurisdiction\xe2\x80\x99s statewide and national overall rankings.\n\n              The widespread failure of participating jurisdictions to enter completion and\n              beneficiary data in a timely manner results nationally in underreporting of actual\n              HOME program accomplishments to Congress and the Office of Management and\n              Budget (OMB) and may negatively impact future funding for the program.\n\n              We recommend that CPD require field offices to monitor participating\n              jurisdictions to ensure that project completion information and beneficiary data\n              are complete, accurate, and entered into IDIS monthly and to follow up with\n              participating jurisdictions on slow-moving projects to determine the reason for the\n              delay. We also recommend that CPD require participating jurisdictions to have a\n              quality control systems in place to ensure that the required project completion\n              information and beneficiary data are complete, accurate, and entered into IDIS\n              monthly.\n\n\n\n\nSignificant Deficiency: HUD Management Must Continue To Improve\nOversight and Monitoring of Subsidy Calculations, Intermediaries\xe2\x80\x99\nPerformance, and Utilization of Housing Choice Voucher Funds\n\nUnder the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds\nthrough various grant and subsidy programs to multifamily project owners (both nonprofit and\nfor profit) and housing agencies. These intermediaries, acting for HUD, provide housing\nassistance to benefit primarily low-income families and individuals (households) that live in\npublic housing, Section 8 and Section 202/811 assisted housing, and Native American housing.\nIn fiscal year 2009, HUD spent about $29 billion to provide rent and operating subsidies that\nbenefited more than 4.7 million households.\nSince 1996, we have reported on weaknesses with the monitoring of the housing assistance\nprogram\xe2\x80\x99s delivery and the verification of subsidy payments. We focused on the impact these\nweaknesses had on HUD\xe2\x80\x99s ability to (1) ensure intermediaries are correctly calculating housing\nsubsidies and (2) verify tenant income and billings for subsidies. During the past several years,\nHUD has made progress in correcting this deficiency. In 2009, HUD continued utilizing the\ncomprehensive consolidated reviews in the Office of Public and Indian Housing\xe2\x80\x99s (PIH) efforts\nto address public housing agencies\xe2\x80\x99 (PHA) improper payments and other high-risk elements.\nHUD\xe2\x80\x99s continued commitment to the implementation of a comprehensive program to reduce\nerroneous payments will be essential to ensuring that HUD\xe2\x80\x99s intermediaries are properly carrying\nout their responsibility to administer assisted housing programs according to HUD requirements.\n\n\n\n\n                                               10\n\x0cThe Department has demonstrated improvements in its internal control structure to address the\nsignificant risk that HUD\xe2\x80\x99s intermediaries are not properly carrying out their responsibility to\nadminister assisted housing programs according to HUD requirements. HUD\xe2\x80\x99s increased and\nimproved monitoring has resulted in a significant decline in improper payment estimates over the\nlast several years. However, HUD needs to continue to place emphasis on its on-site monitoring\nand technical assistance to ensure that acceptable levels of performance and compliance are\nachieved and periodically assess the accuracy of intermediaries rent determinations, tenant\nincome verifications, and billings.\nTenant income is the primary factor affecting eligibility for housing assistance, the amount of\nassistance a family receives, and the amount of subsidy HUD pays. Generally, HUD\xe2\x80\x99s subsidy\npayment makes up the difference between 30 percent of a household\xe2\x80\x99s adjusted income and the\nhousing unit\xe2\x80\x99s actual rent or, under the Section 8 voucher program, a payment standard. The\nadmission of a household to these rental assistance programs and the size of the subsidy the\nhousehold receives depend directly on the household\xe2\x80\x99s self-reported income. However,\nsignificant amounts of excess subsidy payments occur because of errors in intermediaries\xe2\x80\x99 rent\ndeterminations and undetected, unreported, or underreported income. By overpaying rent\nsubsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds\nthat could have been used to subsidize other eligible families in need of assistance.\n\n\n\n HUD\xe2\x80\x99s Gross Estimate of Erroneous Payments Increased\n in Fiscal Year 2009\n\n\n              The estimate of erroneous payments that HUD reports in its Performance and\n              Accountability Report relates to HUD\xe2\x80\x99s inability to ensure or verify the accuracy\n              of subsidy payments being determined and paid to assisted households. This\n              year\xe2\x80\x99s contracted study of HUD\xe2\x80\x99s three major assisted housing programs\n              estimated that the rent determination errors made by the intermediaries resulted in\n              substantial subsidy overpayments and underpayments. The study was based on\n              analyses of a statistical sample of tenant files, tenant interviews, and income\n              verification data for activity that occurred during fiscal year 2008. However, the\n              amounts reported in the study have been adjusted due to recent program structure\n              changes.\n              The Public Housing programs switched to Asset Management and began\n              calculating formula income for PHAs as noted in 24 CFR 990.195 Calculating\n              Formula Income. This change eliminated the 3 types of improper payment errors\n              for the Public Housing program. This new process was implemented in January\n              2007. Therefore for FY 2007 this process was in place for the last 3 quarters of\n              the year and HUD subsidy errors occurred only in the first quarter. Errors could\n              still be made by PHAs in their calculation of the amount of tenant rent or tenants\n              could still be under reporting their income, however beginning January 2007 this\n              no longer affected HUD's subsidy. The Quality Control (QC) study and Income\n              Match Reporting study estimated these errors for the entire fiscal year because\n              this information is useful to management of both PIH and the PHAs. However,\n              based on the conversion to asset management and the change in calculating\n\n\n                                               11\n\x0cformula income becoming effective in January 2007, none of the amounts\ncalculated in the QC study for the Public Housing Administrator, Income\nReporting, and Billing errors will be reported for FY 2008 as this change was in\neffect for all of FY 2008. In addition, the establishment of a budget based\nfunding methodology was implemented for the Housing Choice Voucher Program\nto eliminate the opportunity for billing errors in that program. Budget based\nmeans that each PHA will have a set annual budget for vouchers to serve their\nclients\xe2\x80\x99 needs. The PHA will receive the annual budget in 12 equal monthly\npayments \xe2\x80\x93 thus eliminating the need to bill HUD and eliminating the Housing\nChoice Voucher Program Billing Error.\nThe estimate of erroneous payments is reported in HUD\xe2\x80\x99s Fiscal Year 2009\nPerformance and Accountability Report as Other Accompanying Information and\nwill reflect the adjusted error estimates. Based on the previously mentioned\nprogram structure changes, HUD is reporting subsidy payment inconsistencies in\nwhich HUD incorrectly paid $592 million in annual housing subsidies. This is a\n12 percent decrease in the gross erroneous payments in comparison to the prior\nyear.\nThe estimate of erroneous payments this year also includes overpaid subsides\nfrom underreported and unreported income and intermediaries\xe2\x80\x99 billings errors.\nHUD estimated that housing subsidy overpayments from tenants misreporting\ntheir income totaled an additional $364 million in overpayments during Fiscal\nyear 2008 before making adjustments for the program structure changes.\nHowever, during our testing of the initial error estimate results, we found\nadditional cases resulting in valid errors. In addition, we also determined that the\ncontractor performing the review of the income match was not following the rules\nproperly for some of the cases. As a result, the contractor re-reviewed the cases\nto apply the rules correctly and issued a revised income match report with a total\nestimate of $416 million. Therefore, including the subsidy error associated with\nthe income from these cases and making adjustments for the program structural\nchanges, the revised estimate is $370.7 million.\nHUD did not conduct a billings study during fiscal year 2009. Therefore, the\nresults of prior year\xe2\x80\x99s study will carryover for this year\xe2\x80\x99s billings error estimate\nand have been adjusted according to the previously mentioned program structural\nchanges. Based on the payment errors that were identified for the Office of\nHousing\xe2\x80\x99s project-based Section 8 housing program, HUD reported an estimated\n$59 million in program billings errors for fiscal year 2006. In addition, PIH\xe2\x80\x99s\nbillings error estimate has been reduced to zero for the Housing Choice Voucher\nprogram. Additionally, the operating subsidy estimate was reduced to zero for the\nPIH billings estimate based on the previously mentioned structural changes.\nTherefore, only the Office of Housing\xe2\x80\x99s estimate of $59 million will be included\nin the estimate of erroneous payments for billings errors.\n\nIn totality, HUD has increased the combined gross improper rental housing\nassistance payment estimates to $1.022 billion in Fiscal Year 2008. This is a total\nincrease of 3 percent in comparison to the prior year estimates of $993 million.\n\n\n\n\n                                 12\n\x0cNeed To Continue Initiatives To Detect\nUnreported Tenant Income\n\n\n           The computer matching agreement between HUD\xe2\x80\x99s Office of Housing and the\n           Department of Health and Human Services (HHS) for use of the National\n           Directory of New Hires in the Enterprise Income Verification system (EIV) was\n           finalized in fiscal year 2008. HUD successfully expanded its computer matching\n           program with the HHS data to all of its rental assistance programs (public\n           housing, housing vouchers, and project-based housing) when HUD s project-\n           based program gained access to the HHS database on January 15, 2008. The\n           other programs had gained access previously. HUD had intended to issue a final\n           rule mandating the use of this matching data by the end of calendar year 2008.\n           However, the final rule revising HUD's public and assisted housing program\n           regulations to implement the up-front income verification process for program\n           participants was published on January 27, 2009. Consequently, the final rule was\n           scheduled to become effective on September 30, 2009, but it has now been\n           postponed and will not become effective until January 31, 2010. This rule would\n           require the use of HUD's EIV system by PHAs and owners and management\n           agents.\n\n           EIV is a web-based system that compiles tenant income information and makes it\n           available online to HUD business partners to assist in determining accurate tenant\n           income as part of the process of setting rental subsidy. Currently, EIV matches\n           tenant data against Social Security Administration information, including Social\n           Security benefits and Supplemental Security Income, and with the HHS National\n           Directory of New Hires (NDNH) database, which provides information such as\n           wages, unemployment benefits, and W-4 (\xe2\x80\x95new hires\xe2\x80\x96) data, on behalf of PIH and\n           Multifamily Housing programs. The EIV System is available to PHAs\n           nationwide and to Owner Administered project-based assistance programs and\n           they are encouraged to use and implement the EIV System in their day-to-day\n           operations.\n\n           During our fiscal year 2008 audit, we noted that the Department was also in the\n           process of implementing the Multifamily Housing Error Tracking Log (ETL)\n           initiative. The ETL initiative was supposed to document whether and to what\n           extent owners are accurately, thoroughly, and clearly determining family income\n           and rents in the Office of Multifamily Housing Subsidy Programs, and was to\n           track the specific dollar impact of income and rent discrepancies and the\n           corresponding resolution of such errors. However, we determined during our\n           fiscal year 2009 audit that ETL has not been implemented yet. In addition, it has\n           been renamed ISERS (Integrated Subsidy Error Reduction System) and is\n           currently going through the procurement process.\n\n\n\n\n                                           13\n\x0cNeed To Continue Progress on RHIIP Initiatives\n\n\n\n           HUD initiated the RHIIP as part of an effort in fiscal year 2001 to develop tools\n           and the capability to minimize erroneous payments. The type of erroneous\n           payments targeted includes the excess rental subsidy caused by unreported and\n           underreported tenant income. Since our last report, HUD has continued to make\n           progress in addressing the problems surrounding housing authorities\xe2\x80\x99 rental\n           subsidy determinations, underreported income, and assistance billings. However,\n           HUD still needs to ensure that it fully uses automated tools to detect rent subsidy\n           processing deficiencies and identify and measure erroneous payments.\n\n\nMonitoring of Intermediaries\xe2\x80\x99 Performance\n\n\n           During fiscal year 2006, HUD implemented a 5-year plan to perform consolidated\n           reviews to reinforce PIH\xe2\x80\x99s efforts in addressing PHAs\xe2\x80\x99 improper payments and\n           other high-risk elements. These reviews were also implemented to ensure the\n           continuation of PIH\xe2\x80\x99s comprehensive monitoring and oversight of PHAs. The 5-\n           year plan required HUD to perform tier 1 comprehensive reviews on\n           approximately 20 percent or 490 of the PHAs that manage 80 percent of HUD\xe2\x80\x99s\n           funds. According to the Fiscal Year 2009 Management Plan directive, PIH\n           identified 100 PHAs that receive 80 percent of HUD\xe2\x80\x99s funding for the priority tier\n           1 comprehensive reviews. Tier 2 reviews, chosen by field offices based on\n           availability of resources, are optional comprehensive reviews of the remaining\n           PHAs. The comprehensive reviews included rental integrity monitoring (RIM),\n           RIM follow-up on corrective action plans, EIV implementation and security,\n           Section 8 Management Assessment Program (SEMAP) confirmatory reviews,\n           SEMAP quality control reviews, exigent health and safety spot checks,\n           Management Assessment Subsystem certifications, and civil rights limited front-\n           end reviews.\n\n           Documentation provided during our review showed that 105 Tier I reviews were\n           performed during fiscal year 2009. Because of the deficiencies identified in the\n           consolidated reviews, corrective action plans were implemented at 12 PHAs from\n           Tier I reviews completed as of June 30, 2009. More corrective action plans may\n           be implemented from reviews completed in the last quarter. At the end of our\n           fieldwork, six PHAs had corrective action plans still open. Additionally, from\n           prior Tier I reviews, we noted that corrective action plans for 5 PHAs were still\n           open. HUD must continue to ensure that corrective action plans are implemented\n           and closed out, thereby ensuring that the systemic errors identified during the\n           reviews have been corrected.\n\n           In prior years, we reported that information contained in the PIH Inventory\n           Management System (PIC-IMS) was incomplete and/or inaccurate because\n           housing authority reporting requirements were discretionary. As a result PHAs\n\n\n                                            14\n\x0c          have been mandated to submit 100 percent of their family records to HUD. HUD\n          annually evaluates those PHAs not meeting the 95 percent requirement. In fiscal\n          year 2009, there were 190 PHAs of 3,121 that did not meet the minimum\n          reporting rate. We performed spot checks at the Chicago, San Francisco, and\n          Atlanta PIH field offices and found that for the most part, PHAs were meeting\n          HUD\xe2\x80\x99s reporting requirements. Since HUD uses the tenant data from its PIC-\n          IMS for the income-matching program and program monitoring, it is essential that\n          the database have complete and accurate tenant information. Therefore, until a\n          more efficient and effective means of verifying the accuracy of the data is\n          developed, HUD needs to continue to emphasize the importance of accurate\n          reporting and proactively enforce sanctions against those PHAs that do not follow\n          the requirement.\n\n          HUD has made substantial progress in taking steps to reduce erroneous payments.\n          However, it must continue its regular on-site and remote monitoring of the PHAs\n          and use the results from the monitoring efforts to focus on corrective actions\n          when needed. We are encouraged by the on-going actions to focus on improving\n          controls regarding income verification, as well as HUD\xe2\x80\x99S plans regarding\n          corrective action plans, consolidated reviews, and the continual income and rent\n          training for HUD staff, owners, management agents, and PHAs.\n\n\nMonitoring Public Housing Agencies\xe2\x80\x99\nUtilization of Excess Funds\n\n\n          Congress, in an attempt to limit the cost of the Housing Choice Voucher program\n          and to provide flexibility to the PHAs in the administration of available program\n          funding, enacted provisions in the fiscal year 2005 Appropriation Act (Public Law\n          108-447) that significantly changed the way HUD provides and monitors the\n          subsidies paid to PHAs. Starting January 1, 2005, Congress changed the basis of\n          the program funding from a \xe2\x80\x95unit-based\xe2\x80\x96 process to a \xe2\x80\x95budget-based\xe2\x80\x96 process that\n          limits the Federal funding to a fixed amount.\n\n          Under the legislation, HUD distributes Federal funding using a formula based on\n          the prior-year cost that is self-reported by housing agencies in the Voucher\n          Management System (VMS). HUD records the funding allocated to the PHA as\n          an expense and no longer records a receivable for any under-utilized funds\n          because the PHAs retain and are expected to use the funds in their entirety for\n          authorized program activities and expenses within the time allowed. Program\n          guidance states that any budget authority provided to PHAs that exceeds actual\n          program expenses for the same period must be maintained in a housing agencies\xe2\x80\x99\n          net restricted assets account (NRA). Although these funds are retained by the\n          PHA and not HUD, HUD relies on the PHAs for maintaining the excess budget\n          authority reserve available for program cost increases. If the excess budget\n          authority accumulated in the PHAs\xe2\x80\x99 NRA account is not needed to lease up to 100\n          percent of the vouchers, then the excess funds are considered \xe2\x80\x95unusable\xe2\x80\x96\n          according to program regulations. According to HUD\xe2\x80\x99s records, as of June 30,\n\n\n                                         15\n\x0c                    2009, the PHAs\xe2\x80\x99 NRA account showed a total of $840 million in total excess\n                    funding. Of the $840 million, $317 million has been categorized as unusable.\n\n                    HUD has the responsibility to ensure that these funds are properly accounted for\n                    and are used for authorized program activities. HUD is also responsible for\n                    monitoring intermediaries\xe2\x80\x99 performance. Consequently, the VMS cost data are\n                    critical to (1) determining over- and under utilization of funds and excess budget\n                    authority available for cost increases and budget offsets and (2) evaluating PHAs\xe2\x80\x99\n                    performance in ensuring that funds are used to serve the maximum number of\n                    families.\n\n                    In our fiscal year 2008 report,3 we recommended increased monitoring efforts\n                    regarding the excess budget authority held by PHAs to include the $1.9 billion\n                    NRA account balance as part of HUD\xe2\x80\x99s on-site monitoring review of PHAs. In\n                    addition, we recommended seeking legislative authority for offsetting $1.4 billion\n                    in PHAs\xe2\x80\x99 unusable excess budget authority. During April 2009, HUD completed\n                    a $780 million offset from those PHAs having large NRA balances.\n\n                    HUD\xe2\x80\x99s monitoring of the PHAs\xe2\x80\x99 expenditures and excess budget authority is a\n                    critical internal control to ensure the accuracy of the estimated annual $15 billion\n                    for the Housing Choice Voucher program and to ensure an adequate level of\n                    reserves for PHAs\xe2\x80\x99 operations. HUD\xe2\x80\x99s Real Estate Assessment Center performs a\n                    desk review of the PHAs\xe2\x80\x99 financial statements but does not validate and ensure\n                    the accuracy the PHAs\xe2\x80\x99 NRA excess funds.\n\n                    In conjunction with our audit, we learned that more than 370 PHAs were\n                    requesting additional funding in fiscal year 2009. The extra funding would be\n                    needed to cover anticipated funding shortfalls, which placed many families at risk\n                    of losing the subsidy. We performed reviews of the accounting records at 11\n                    PHAs from the list of 370 PHAs. For the 11 PHAs, we tested whether HUD\xe2\x80\x99s\n                    calculated NRA balances as of December 2008 were in agreement with PHAs\xe2\x80\x99\n                    records and whether excess funds were available for program use. Our review\n                    showed differences between PHAs\xe2\x80\x99 actual NRA balances and HUD\xe2\x80\x99s calculated\n                    NRA balances for all 11 PHAs reviewed.\n\n                    Our review of the DeKalb, GA, PHA showed that the PHA NRA balance was $5\n                    million or $4 million less than HUD\xe2\x80\x99s $9 million NRA calculated balance.\n                    DeKalb officials explained that excess funding from the NRA was used to cover\n                    administrative fee increases incurred for processing a higher than expected\n                    number of portability and disaster vouchers. In addition, DeKalb indicated that\n                    expenditures in VMS were understated by $2.5 million, causing a reduction of the\n                    funding received for 2009.\n\n\n\n\n3\n Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Year 2008 and 2007 Financial Statements, 2009-FO-0003, dated November 14,\n2008\n\n\n\n                                                                 16\n\x0cThe San Francisco PHA showed an NRA balance of $17 million, or $2 million\nhigher than HUD\xe2\x80\x99s $15 million calculated NRA. This difference was a result of\nthe PHA using $2 million less from its NRA to cover the 2008 budget offset.\n\nFor the nine other PHAs reviewed, we found that two PHAs showed $1 million\nand $8 million more in their respective NRA accounts than HUD recorded. The\nremaining seven PHAs showed less funding in their NRA accounts than HUD\nestimates, ranging from $214,000 to $18 million.\n\nWe attribute the differences in the HUD-calculated NRAs to the following\nfactors:\n\n   \xef\x82\xb7   VMS has no mechanism to (1) compare what the PHAs spend and receive\n       in administrative fee expenses and (2) capture transfers between housing\n       assistance and the funds for administrative fees,\n   \xef\x82\xb7   PHAs lacked an understanding of how to report expenditures in VMS,\n   \xef\x82\xb7   HUD failed to detect PHAs\xe2\x80\x99 noncompliance with financial requirements\n       due to its delays in implementing procedures for validating and\n       reconciling the NRA, and\n   \xef\x82\xb7   HUD did not include the NRA balances as part of its on-site monitoring\n       review of PHAs. HUD\xe2\x80\x99s Quality Assurance Division plans to include\n       NRA validation procedures in fiscal year 2010.\n\nRegarding the funding shortfalls at the 370 PHAs, the following factors\ncontributed to the shortfalls:\n\n   \xef\x82\xb7   The current state of the economy with higher than expected\n       unemployment rates has resulted in less income earned by families,\n       thereby shifting a larger share of the rent to be paid by the PHAs and\n       resulting in funds being consumed more rapidly than anticipated;\n   \xef\x82\xb7   PHAs were not always aware of the cost-saving measures available to\n       them. For example, decreasing rent payment standards, changing tenant\n       income standards, lowering utility payments, and restructuring repayment\n       agreements could result in cost savings to the PHAs;\n   \xef\x82\xb7   PHAs\xe2\x80\x99 lacked knowledge or misunderstood program rules for allowing the\n       use of administrative fee reserves for housing assistance in helping to\n       alleviate their funding shortfalls; and\n   \xef\x82\xb7   There were inaccuracies between the PHAs\xe2\x80\x99 actual NRA per book balance\n       and the calculated NRA balance used by HUD to process the funding\n       offsets; and\n   \xef\x82\xb7   Some PHAs did not have the excess funding available for program use to\n       supplement the funding offsets.\n\nHUD responded to the reported shortfalls by providing PHAs with technical\nassistance on cost-saving measures and a reconciling of PHAs\xe2\x80\x99 accounting\nrecords to HUD\xe2\x80\x99s calculated NRA balance. After HUD\xe2\x80\x99s review, a majority of\nthe PHA requests for additional funding were denied because HUD found that the\n\n\n\n                                17\n\x0c               PHAs were either over leasing vouchers or had sufficient funding. However,\n               HUD did identify 104 PHAs that needed $42.4 million in additional funding.\n               HUD plans to provide additional funding (1) using $11 million left over from the\n               $100 million set aside in the 2009 Appropriation Act (PL 111-18), (2) by\n               obtaining authorization from OMB to use part of the advance fiscal year 2010\n               appropriation, and (3) shifting $30 million from the remaining administrative fee\n               reserves in HUD\xe2\x80\x99s books. HUD is continuing to evaluate the financial status of\n               the PHAs and making adjustments as needed. In regard to the $317 million in\n               excess funding categorized as unusable, we recommend that HUD seek legislative\n               authority to perform additional offsets on PHAs having excess funding at year-\n               end. In addition, as recommended in last year\xe2\x80\x99s audit, (1) efforts to reconcile the\n               NRA accounts should start earlier in the year to ensure that PHAs have funds\n               available for program use, and (2) HUD needs to increase its on-site monitoring\n               by including the validation of the NRA as part of the VMS reviews.\n\n\n\n\nSignificant Deficiency: HUD Needs To Improve Its Processes for Reviewing\nObligation Balances\nHUD needs to improve controls over the monitoring of obligation balances to ensure that they\nremain needed and legally valid as of the end of the fiscal year. HUD\xe2\x80\x99s procedures for\nidentifying and deobligating funds that are no longer needed to meet its obligations were not\nalways effective. This has been a long-standing weakness.\n\nAnnually, HUD performs a review of unliquidated obligations to determine whether the\nobligations should be continued, reduced, or canceled. We evaluated HUD\xe2\x80\x99s internal controls\nfor monitoring obligated balances and found that HUD has made progress in implementing\nimproved procedures and information systems. However, additional improvement is needed.\nOur review of the 2009 year-end obligation balances showed that timely reviews of unexpended\nobligations for Section 8 project-based, Sections 202 and 811, rental assistance payment, rent\nsupplement, interest reduction payment program, and administrative and other program\nobligations were not being performed. As a result, $132.4 million in excess funds had not been\nrecaptured.\n\nIn addition, we identified more than $ 1.7 billion in obligations tied to more than 3,500 capital\nadvances or contracts awarded under Section 8 project-based and Sections 202 and 811 programs\nthat were reported in the subsidiary ledgers with no contract expiration dates. As a result, there\nwas no assurance that these contracts, as recorded in the system of record, were all active and\nthat obligations associated with these contracts were all valid. We recommend that HUD design\nand implement procedures to ensure that an expiration date is entered into the subsidiary ledger\nand perform a detailed review of these contracts to determine whether they are active contracts.\nExcess funds associated with contracts, later determined to be expired, should be recaptured.\nAlso, we recommend that HUD implement a long-term financial management strategy and\nimprovement plan to better manage and accurately report its obligation balances.\n\n\n\n                                               18\n\x0cProject-Based Section 8 Contracts\n\n\n\n            HUD\xe2\x80\x99s systems and controls for processing payments, monitoring, budgeting,\n            accounting, and reporting for Section 8 project-based contracts needs to be\n            improved. HUD has been hampered in its ability to estimate funding\n            requirements, process timely payments to project-based landlords, and recapture\n            excess funds in a timely manner. This problem is evidenced in HUD\xe2\x80\x99s long-term\n            challenges in paying Section 8 project-based landlords on a timely basis; properly\n            monitoring, budgeting, and accurately accounting for contract renewals; and\n            reporting obligation balances.\n\n            HUD administers 18,235 housing assistance payments contracts to provide about\n            1.25 million low-income housing units. A total of 14,459 contracts, covering\n            more than 1 million housing units, are currently subject to annual renewal. In\n            fiscal year 2008, obligations incurred for the 14,459 renewed contracts totaled\n            more than $6 billion. HUD\xe2\x80\x99s estimated $9.6 billion in budget authority for\n            Section 8 project-based contracts in fiscal year 2009 included $2.0 billion in\n            supplemental Recovery Act funds and a $221 million carryover from prior years.\n\n            Section 8 budget authority is generally available until expended. As a result,\n            HUD should periodically assess budget needs and identify excess program\n            reserves in the Section 8 programs as an offset to future budget requirements.\n            Excess program reserves represent budget authority originally received, which\n            will not be needed to fund the related contracts to their expiration. While HUD\n            had taken actions to identify and recapture excess budget authority in the Section\n            8 project-based program, weaknesses in the review process and inadequate\n            financial systems continued to hamper HUD\xe2\x80\x99s efforts. There was a lack of\n            automated interfaces between the Office of Housing subsidiary records and\n            HUD\xe2\x80\x99s general ledger for the control of program funds. This condition\n            necessitated that HUD and its contractors make extensive use of ad hoc analyses\n            and special projects to review Section 8 contracts for excess funds, which has\n            hampered HUD\xe2\x80\x99s ability to identify excess funds remaining on Section 8\n            contracts in a timely manner.\n\n            We have been reporting weaknesses in HUD\xe2\x80\x99s financial management systems\n            areas for many years, including making a recommendation that HUD develop a\n            long-term financial management system solution to automate and streamline its\n            processes. This year, as part of HUD\xe2\x80\x99s effort to improve the quality of services\n            within the rental housing assistance business areas, HUD conducted a study of its\n            performance gap and developed a long-term information technology (IT) strategy\n            and improvement plan to address the performance gap. However, as of the end of\n            fiscal year, it had not been implemented. Meanwhile, the shortcomings in the\n            financial management system continued to impair HUD\xe2\x80\x99s abilities to properly\n            monitor and accurately account for contract renewals and report obligation\n\n\n\n                                            19\n\x0c            balances. This problem is evidenced by the deficiencies found during our current\n            review.\n\n            This fiscal year, the Office of Housing recaptured approximately $288.7 million\n            in unliquidated obligation balances from 7,969 contracts in the Section 8 project-\n            based program. Our review of the Section 8 project-based contracts showed an\n            additional 692 contracts that had expired on or before January 1, 2009, or were\n            inactive with available contract/budget authority. These 692 contracts had $75.3\n            million in excess funds potentially available for recapture.\n\n            In addition, our review result raised concerns about the reliability of Program\n            Accounting System (PAS) data in providing accurate information with regard to\n            Section 8 project-based obligations and recapture of expired obligations balances.\n            Specifically, we noted that\n\n            \xef\x82\xb7   Contracts with 562 funding lines/increments and obligation balances totaling\n                more than $130 million were reported in PAS with no contract expiration\n                dates. As a result, there is no assurance that these 562 contracts are active and\n                the remaining obligation balances associated with these contracts remain\n                legally valid. HUD needs to review these contracts and recapture any excess\n                funds on contracts determined to be expired. These funds, up to $130 million,\n                could be put to better use to fund projects that require funding.\n\n            \xef\x82\xb7   Contracts with 325 funding lines/increments, expiration dates before January\n                1, 2009, and totaling more than $70 million were reported in PAS. Review of\n                these contracts by Office of Housing staff disclosed that the contracts were\n                \xe2\x80\x95fully disbursed,\xe2\x80\x96 thus overstating the PAS obligation balance by the same\n                amount. Funds associated with these contracts should be reviewed and\n                adjusted in PAS accordingly. These funds, up to $70 million, could be put to\n                better use to fund other projects requiring funding.\n\nSupportive Housing for the\nElderly and Disabled - Sections\n202 and 811 Programs\n\n            HUD is required by the Federal Managers\xe2\x80\x99 Financial Integrity Act to establish\n            internal controls to ensure that obligations are properly accounted for to permit\n            the preparation of accounts and reliable financial and statistical reports and to\n            maintain accountability over its obligations. Our review, however, showed that\n            HUD\xe2\x80\x99s subsidiary ledger supporting the obligation balances did not provide\n            reliable or complete information with regard to capital advances and/or contracts\n            awarded under the Sections 202 and 811 programs. As a result, there was no\n            assurance provided by the information system of record that information on\n            program obligations was accurately reported and legally valid.\n\n            HUD\xe2\x80\x99s Sections 202 and 811 programs provide affordable housing and supportive\n            services for elderly families and families with disabilities. These programs\n\n\n                                             20\n\x0cprovide capital advances to private nonprofit organizations to finance the\nconstruction of new facilities or acquisition or rehabilitation of existing facilities.\nThe capital advance is interest free and does not have to be repaid if the housing\nremains available for very low-income elderly or disabled families for at least 40\nyears.\n\nAfter the facility has been constructed and occupied, HUD provides additional\nproject rental assistance contract (PRAC) funds to owners to cover the difference\nbetween the HUD-approved operating cost for the project and the tenants\xe2\x80\x99\ncontribution toward rents.\n\nFunds for the capital advance and PRAC are obligated when the Section 202 or\n811 agreement letter is signed by the hub/program center director and the\nsponsor(s). An authorized signature memorandum from the Assistant Secretary\nfor Housing/Federal Housing Commissioner or designee to the Fort Worth\nAccounting Center completes the obligation. The Fort Worth Accounting Center\nverifies that funds are in LOCCS and records the obligation in PAS. Generally,\nfunds appropriated for capital advance and PRAC are available for three years.\nAfter three years, the funds expire and will not be available for obligation, thus\nnecessitating the need to track funds obligated under the program.\n\nAt the beginning of fiscal year 2009, the Sections 202 and 811 programs had\nunliquidated obligation balances of $ 3.7 billion and 1.0 billion, respectively. We\nreviewed the PAS subsidiary ledger supporting the current Sections 202 and 811\nprogram unliquidated obligation to determine whether unliquidated program\nobligations reported were valid and whether invalid obligations had been\ncancelled and recaptured in PAS. We found that HUD\xe2\x80\x99s PAS subsidiary ledger\ndid not provide reliable information with regard to capital advances and/or\ncontracts awarded under the Sections 202 and 811 programs. Specifically, we\nfound that\n\n\xef\x82\xb7   Obligations data totaling $ 20.2 million associated with 1,232 contracts were\n    reported in PAS as expired as of January 1, 2009. Funds associated with these\n    expired contracts could be deobligated and put to better use to fund other\n    projects that required funding.\n\n\xef\x82\xb7   Obligations data totaling more than $1.6 billion associated with 3,500\n    contracts for capital advances and other grants were reported in PAS with no\n    contract expiration dates. As a result, there was no assurance that obligations\n    on these contracts were accurately reported and legally valid. Funds\n    associated with expired contracts could potentially be deobligated and put to\n    better use to fund other projects that required funding.\n\nThe deficiencies in the Sections 202 and 811 programs occurred because of\nlimited resources. In addition, expiration dates on capital advances and grants\nwere not entered into the subsidiary ledger because of a lack of understanding that\nonce funds are obligated for capital advances and grants, they remain available to\nthe project. HUD needs to allocate additional resources to Sections 202 and 811\n\n\n                                  21\n\x0c          programs and develop and implement procedures to ensure that information on\n          program obligations was accurately reported and legally valid.\n\n\n\nSection 236 Interest Reduction Program\n\n\n\n          The Section 236 Interest Reduction Program (IRP) was created in 1968; however,\n          new program activity ceased in the mid-1970s. The multifamily activities carried\n          out by this program include making interest reduction payments directly to\n          mortgage companies on behalf of multifamily project owners. The contracts\n          entered into were typically up to 40 years, and HUD was required to fund these\n          contracts for their duration. At the time it entered into the contracts, HUD was to\n          record obligations for the entire amount. The obligations were established based\n          upon permanent indefinite appropriation authority. This budget authority is\n          included in the statement of budgetary resources and other consolidated financial\n          statements as \xe2\x80\x95other programs.\xe2\x80\x96\n\n          Although the Section 236 IRP is not a major program, program deficiencies have\n          been reported by OIG in prior reports on the financial statements. The Offices of\n          Housing and the Chief Financial Officer have been hampered by historically poor\n          record keeping in their attempt to accurately account for unexpended Section 236\n          budget authority balances and estimated future payments. These estimated\n          payments were the basis for HUD\xe2\x80\x99s recorded obligation balances necessary to\n          fully fund the contracts to their expiration. HUD adjusts the recorded obligations\n          as it proceeds through the term of the contracts to reflect best estimates of the\n          financial commitment. Factors that can change the budgetary requirements over\n          time include contract terminations, refinancing, and restructuring of the contracts.\n\n          In recent years, OIG noted that HUD had made a series of corrective actions to\n          address these deficiencies. However, improvement in the timing of its quarterly\n          reconciliation is needed to ensure that Section 236 IRP obligations are valid and\n          can be more accurately estimated and reported.\n\n          In fiscal year 2009, we identified 37 inactive Section 236 IRP contracts with more\n          than $49.6 million in excess contract and budget authority that could be\n          deobligated. These 37 contracts had been prepaid and terminated from the\n          program. HUD processed adjustments to deobligate more than $26.2 million for\n          5 of the 37 terminated projects. HUD agreed and processed adjustments to\n          deobligate an additional $23.4 million for the remaining 32 terminated projects in\n          this fiscal year.\n\n          HUD took corrective action to develop and implement revised quarterly\n          reconciliation procedures in the third quarter of the current fiscal year.\n\n\n\n\n                                           22\n\x0cRent Supplement and         Rental\nAssistance Payments\n\n\n           HUD was not recapturing excess undisbursed contract authority from the rent\n           supplement and rental assistance payments programs in a timely manner.\n           Although, HUD continues to make progress in this area, improvement is still\n           needed to ensure the timely recapture of excess funds.\n\n           The rent supplement and rental assistance payments programs have been in\n           existence since the mid 1960\xe2\x80\x99s and 1970\xe2\x80\x99s, respectively. The rent supplement\n           program and rental assistance payments operate much like the current project-\n           based Section 8 rental assistance program. Rental assistance is paid directly to\n           multifamily housing owners on behalf of eligible tenants\n\n           HUD\xe2\x80\x99s subsidiary ledgers show, on a fiscal year basis, the amount authorized for\n           disbursement and the amount that was disbursed under each project account.\n           Funds remain in these accounts until they are paid out or deobligated by HUD. If\n           the funds are not paid out or deobligated, the funds remain on the books,\n           overstating the needed contract authority, the excess of which should be\n           recaptured. Our prior audit reports showed that these funds were not being\n           recaptured in a timely manner.\n\n           In response to our concern, in fiscal year 2006, HUD developed and implemented\n           procedures to review quarterly and annually the programs and associated contract\n           authority requirements. Although progress has been made in this area,\n           improvement in the timing of its recently revised quarterly reconciliation review\n           is still needed to ensure the timely recapture of excess funds.\n\n           We performed a review in fiscal year 2009 of unliquidated obligations for the\n           multifamily projects\xe2\x80\x99 accounts under the rent supplement and rental assistance\n           programs. Our review found $11.2 million in undisbursed contract authority from\n           prior fiscal years on 259 multifamily projects that should be recaptured. HUD\n           later determined that more than $4.7 million of the $11.2 million could be\n           recaptured this year.\n\n\nAdministrative/Other Program Obligations\n\n\n\n           Annually, the Chief Financial Officer forwards requests for obligation reviews to\n           various administrative and programs offices. The focus of the review is on\n           administrative and program obligations that exceed threshold amounts established\n           by the Chief Financial Officer. In this year\xe2\x80\x99s review, the focus is on\n           administrative obligations that exceeded a balance of $17,000 and program\n           obligations that exceeded $217,000. Excluding the Section 8 and Sections 235\n\n\n                                            23\n\x0c              and 236 programs, which undergo separate review processes, HUD identified\n              1,184 obligations with remaining balances totaling $22.1 million for deobligation.\n              We tested the 1,184 obligations HUD identified to determine whether the\n              associated $22.1 million had been deobligated in HUD\xe2\x80\x99s Central Accounting\n              System and PAS. We found that, as of September 30, 2009, a total of 820\n              obligations with remaining balances totaling $8.8 million had not been\n              deobligated. HUD has initiated the process of closing these contracts, and the\n              associated funding should be recaptured in fiscal year 2009.\n\n              With respect to project-based Section 8 contracts, we recommended in our audit\n              of HUD\xe2\x80\x99s fiscal year 1999 financial statements that systems be enhanced to\n              facilitate timely closeout and recapture of funds. In addition, we recommended\n              that the closeout and recapture process occur periodically during the fiscal year\n              and not just at year-end. Implementation of the recommendations and the long-\n              term financial management system improvement plan is critical so that excess\n              budget authority can be recaptured in a timely manner and considered in\n              formulating requests for new budget authority.\n\n              With respect to Sections 202 and 811 programs, we recommend that HUD\n              develop and implement procedures for entering contract expiration dates into the\n              subsidiary ledger. The procedures should include entering contract expiration\n              dates and performing a detailed review of more than 3,500 contracts identified in\n              our review to determine whether more than $1.7 billion in obligations associated\n              with these contracts are all active and valid. Excess funds associated with\n              contracts later determined to be expired should be recaptured or deobligated.\n              These funds could be put to better use to fund other projects that need funding.\n\n              For HUD\xe2\x80\x99s administrative and other program funds, HUD needs to promptly\n              perform contract closeout reviews and recapture the associated excess contract\n              authority and imputed budget authority. In addition, HUD needs to address data\n              and system weaknesses to ensure that all contracts are considered in the\n              recapture/shortfall budget process including Section 236 IRP, rent supplement,\n              and rental assistance payment programs.\n\n\n\n\nSignificant Deficiency: HUD Financial Management Systems Need To\nComply With Federal Financial Management System Requirements\nIn fiscal year 2009 we determined that HUD\xe2\x80\x99s Office of Community Planning and (CPD)\nformula grant process specifically is not compliant with Federal financial management\nrequirements, in addition to our prior year finding that HUD is not in full compliance with\nFederal financial management requirements generally. CPD formula grant management process\nwas found not compliant due to the HUD grant management system implemented design which\n\n\n                                              24\n\x0ccan shift the funding year source entered by grantee to the oldest funds available in the system.\nHUD is required by federal financial management requirements to be able to reconcile the\nperformance data entered by the grantee in the grants management system to the accounting and\nbudget information in other financial management systems. However, according to CPD the\nfunding year information entered by the grantee is not provided in the interface to the disbursing\nfinancial management application or the core financial system. Also, HUD has not completed\ndevelopment of an adequate integrated financial management system. HUD is required to\nimplement a unified set of financial systems. This requirement includes the financial portions of\nmixed systems encompassing the software, hardware, personnel, processes (manual and\nautomated), procedures, controls, and data necessary to carry out financial management\nfunctions, manage financial operations of the agency, and report on the agency\xe2\x80\x99s financial status\nto central agencies, Congress, and the public. As currently configured, HUD financial\nmanagement systems do not meet the test of being unified. The term \xe2\x80\x95unified\xe2\x80\x96 is defined as\nmeaning that systems are planned for and managed together, operated in an integrated fashion,\nand linked electronically to efficiently and effectively provide agency-wide financial system\nsupport necessary to carry out the agency\xe2\x80\x99s mission and support the agency\xe2\x80\x99s financial\nmanagement needs.\n\nHUD\xe2\x80\x99s financial systems, many of which were developed and implemented before the issue date\nof current standards, were not designed to perform or provide the range of financial and\nperformance data currently required. The result is that HUD, on a department-wide basis, does\nnot have unified and integrated financial management systems that are compliant with current\nFederal requirements or provide HUD the information needed to effectively manage its\noperations on a daily basis. This situation could negatively impact management\xe2\x80\x99s ability to\nperform required financial management functions; efficiently manage the financial operations of\nthe agency; and report, on a timely basis, the agency\xe2\x80\x99s financial results, performance measures,\nand cost information.\n\n\n CPD Formula Grants Reporting is\n not in Compliance with FFMIA\n\n\n\n               HUD\xe2\x80\x99s design and implementation of the integrated financial management system\n               that supports the CPD formula grant programs is not in compliance with federal\n               financial management system requirements. The system does not provide the\n               required information related to the source and use of formula grants funding at the\n               transaction level. Federal financial management requirements expect that budget,\n               performance, and financial information are drawn from the same source, apply\n               consistent U.S. Standard General Ledger (USSGL) elements throughout the\n               recording, performance measurement, and financial reporting cycles. Federal\n               accounting standards require that cost information developed for different\n               purposes are drawn from a common data source and output reports should be\n               reconcilable to each other.\n\n               HUD uses its Integrated Disbursement and Information System (IDIS Online) to\n               support the financial management of CPD\xe2\x80\x99s formula grant programs. Grantees use\n\n\n                                                25\n\x0c           the system to track and drawdown CPD funds, report program income, and record\n           the results of CPD-funded activities. Annually, the grant recipient, based on a\n           Consolidated Plan, records information on approved activities in IDIS Online.\n           The fiscal year appropriation associated with a particular activity should be\n           accounted for within the system. As the grantees provide services or accomplish\n           activities, they report specific activity accomplishment information to the IDIS\n           Online system and create requests for reimbursement. While a grantee\xe2\x80\x99s program\n           year may not line up with a federal fiscal year due to when agreements are signed,\n           the achievements, and projects and activity costs recorded in IDIS Online must be\n           reconcilable with the appropriation year in which the funding was approved.\n\n           When processing a payment request for a given activity, IDIS Online selects the\n           oldest available funding source for the fund type associated with that activity.\n           CPD refers to this accounting practice as FIFO (first in first out). This method of\n           disbursement is used for all CPD formula grants. IDIS Online then interfaces with\n           Line of Credit Controls System (LOCCS), which is one of HUD\xe2\x80\x99s core financial\n           systems, to disburse the funds. LOCCS then passes the disbursement information\n           to Program Accounting System (PAS), which is the accounting system used to\n           generate the financial statements.\n\n           Since disbursements for activity performance and accomplishments reported in\n           IDIS are not reconcilable to appropriation specific accounting information in\n           LOCCS or PAS, the system is not in compliance with FFMIA. The Chief\n           Financial Officers Act of 1990 requires the agency to develop and maintain an\n           integrated agency accounting and financial management system, including\n           financial reporting and internal controls to incorporate integration of accounting\n           and budgetary information. In addition, OMB A-127 requires that financial\n           events be recorded by agencies throughout the financial management system\n           applying the requirements of the USSGL at the transaction level. It further states\n           that to be compliant with this requirement, the financial management systems\n           must have transaction detail supporting USSGL accounts available in the financial\n           management systems and directly traceable to specific USSGL account codes.\n\n\n\nHUD Required To Implement a\nCompliant Financial Management\nSystem\n\n\n           The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,\n           among other things, that HUD implement and maintain financial management\n           systems that substantially comply with Federal financial management system\n           requirements. The financial management system requirements also include\n           implementing information system security controls. These requirements are\n           detailed in the Federal Financial Management System Requirements series issued\n           by the Joint Financial Management Improvement Program/Financial System\n           Integration Office (JFMIP/FISO). The requirements are also included in OMB\n\n\n                                           26\n\x0c           Circular A-127, \xe2\x80\x95Financial Management Systems.\xe2\x80\x96 Circular A-127 defines a\n           single integrated financial management system as a unified set of financial\n           systems and the financial portions of mixed systems (e.g., acquisition)\n           encompassing the software, hardware, personnel, processes (manual and\n           automated), procedures, controls, and data necessary to carry out financial\n           management functions, manage the financial operations of the agency, and report\n           on the agency\xe2\x80\x99s financial status.\n\n           As in previous audits of HUD\xe2\x80\x99s financial statements, in fiscal year 2009, there\n           continued to be instances of noncompliance with Federal financial management\n           system requirements. These instances of noncompliance have given rise to\n           significant management challenges that have (1) impaired management\xe2\x80\x99s ability\n           to prepare financial statements and other financial information without extensive\n           compensating procedures, (2) resulted in the lack of reliable, comprehensive\n           managerial cost information on its activities and outputs, and (3) limited the\n           availability of information to assist management in effectively managing\n           operations on an ongoing basis.\n\n\nHUD\xe2\x80\x99s Financial Systems Not\nAdequate\n\n\n           As reported in prior years, HUD does not have financial management systems that\n           enable it to generate and report the information needed to both prepare financial\n           statements and manage operations on an ongoing basis accurately and in a timely\n           manner. To prepare consolidated department-wide financial statements, HUD\n           required the Federal Housing Administration (FHA) and the Government\n           National Mortgage Association (Ginnie Mae) to submit financial statement\n           information on spreadsheet templates, which were loaded into a software\n           application. In addition, all consolidating notes and supporting schedules had to\n           be manually posted, verified, reconciled, and traced. To overcome these systemic\n           deficiencies with respect to preparation of its annual financial statements, HUD\n           was compelled to rely on extensive compensating procedures that were costly,\n           labor intensive, and not always efficient.\n\n           Due to a lengthy HUD Integrated Financial Management Improvement Project\n           (HIFMIP) procurement process and lack of funding for other financial application\n           initiatives, there were no significant changes made in fiscal year 2009 to HUD\xe2\x80\x99s\n           financial management processes. As a result, the underlying system limitations\n           identified in past years remained. The functional limitations of the three\n           applications (HUD\xe2\x80\x99s Central Accounting and Program System (HUDCAPS),\n           LOCCS and PAS) performing the core financial system function for HUD are\n           dependent on its data mart and reporting tool to complete the accumulation and\n           summarization of data needed for U.S. Department of the Treasury and OMB\n           reporting.\n\n\n\n\n                                           27\n\x0cHUD\xe2\x80\x99s Financial Systems\nLacking Managerial Cost Data\n\n\n\n          In fiscal year 2006, the Government Accountability Office (GAO) reported in\n          GAO-06-1002R Managerial Cost Accounting Practices that HUD\xe2\x80\x99s financial\n          systems did not have the functionality to provide managerial cost accounting\n          across its programs and activities. This lack of functionality has resulted in the\n          lack of reliable and comprehensive managerial cost information on its activities\n          and outputs. HUD lacks an effective cost accounting system that is capable of\n          tracking and reporting costs of HUD\xe2\x80\x99s programs in a timely manner to assist in\n          managing its daily operations. This condition renders HUD unable to produce\n          reliable cost-based performance information.\n\n          HUD officials have indicated that various cost allocation studies and resource\n          management analyses are required to determine the cost of various activities\n          needed for mandatory financial reporting. However, this information is widely\n          distributed among a variety of information systems, which are not linked and,\n          therefore, cannot share data. This situation makes the accumulation of cost\n          information time consuming, labor intensive, and untimely and ultimately makes\n          that cost information not readily available. Budget, cost management, and\n          performance measurement data are not integrated because HUD\n\n          \xef\x82\xb7   Did not interface its budget formulation system with its core financial system;\n\n          \xef\x82\xb7   Lacks the data and system feeds to automate a process to accumulate, allocate,\n              and report costs of activities on a regular basis for financial reporting needs, as\n              well as internal use in managing programs and activities;\n          \xef\x82\xb7   Does not have the capability to derive current full cost for use in the daily\n              management of HUD operations; and\n          \xef\x82\xb7   Requires an ongoing extensive quality initiative to ensure the accuracy of the\n              cost aspects of its performance measures as they are derived from sources\n              outside the core financial system.\n\n          While HUD has modified its resource management application to enhance its cost\n          and performance reporting for program offices and activities, the application does\n          not use core financial system processed data as a source. Instead, HUD uses a\n          variety of applications, studies, and models to estimate the cost of its program\n          management activities. One of these applications, Total Estimation and\n          Allocation Mechanism/Resource Estimation and Allocation Process\n          (TEAM/REAP), was designed for use in budget formulation and execution,\n          strategic planning, organizational and management analyses, and ongoing\n          management of staff resources. It was enhanced to include an allocation module\n          that added the capability to tie staff distribution to strategic objectives, the\n          President\xe2\x80\x99s Management Agenda, and HUD program offices\xe2\x80\x99 management plans.\n\n\n                                            28\n\x0c            Additionally, HUD has developed time codes and an associated activity for nearly\n            all HUD program offices to allow automated cost allocation to the program office\n            activity level. HUD has indicated that the labor costs that will be allocated to\n            these activities will be obtained from the HUD payroll service provider.\n            However, because the cost information does not pass through the general ledger,\n            current Federal financial management requirements are not met.\n\n\n\nFinancial Systems Not Providing for\nEffective and Efficient Financial\nManagement\n\n\n            During fiscal year 2009, HUD\xe2\x80\x99s financial information systems did not allow it to\n            achieve its financial management goals in an effective and efficient manner in\n            accordance with current Federal requirements. To perform core financial system\n            functions, HUD depends on three major applications, in addition to a data\n            warehouse and a report-writing tool. Two of the three applications that perform\n            core financial system functions require significant management oversight and\n            manual reconciliations to ensure accurate and complete information. HUD\xe2\x80\x99s use\n            of multiple applications to perform core financial system functions further\n            complicates financial management and increases the cost and time expended.\n            Extensive effort is required to manage and coordinate the processing of\n            transactions to ensure the completeness and reliability of information.\n\n            Additionally, the interface between the core financial system and HUD\xe2\x80\x99s\n            procurement system does not provide the required financial information. The\n            procurement system interface with HUDCAPS does not contain data elements to\n            support the payment and closeout processes. Also, the procurement system does\n            not interface with LOCCS and PAS. Therefore, the processes of fund\n            certification, obligation, deobligation, payment, and closeout of transactions that\n            are paid out of the LOCCS system are all completed separately, within either PAS\n            or LOCCS. This lack of compliance with Federal requirements impairs HUD\xe2\x80\x99s\n            ability to effectively monitor and manage its procurement actions.\n\n\n\nHUD Planning To Implement a Department-\nwide Core Financial System\n\n\n            HUD plans to implement a commercial Federal certified core financial system\n            and integrate the current core financial system into one department-wide core\n            financial system. HUD is initiating business process reengineering work to\n            ensure a smooth transition to a single integrated core financial system. FHA and\n            Ginnie Mae have already implemented a compatible and compliant system to\n\n\n                                            29\n\x0c               support the transition to the enterprise core financial system. HUD plans to select\n               a qualified shared service provider to host the enterprise system and integrate the\n               three financial systems (HUD, FHA, and Ginnie Mae) into a single system by\n               fiscal year 2015. Achieving integrated financial management for HUD will result\n               in a reduction in the total number of systems maintained, provide online, real-time\n               information for management decision making, enable HUD to participate in E-\n               Government initiatives, and align with HUD\xe2\x80\x99s IT modernization goals.\n\n               However, HIFMIP, launched in fiscal year 2003, has been plagued by delays, and\n               implementation of the core financial system has not yet begun. HIFMIP was\n               intended to modernize HUD\xe2\x80\x99s financial management systems in accordance with\n               a vision consistent with administration priorities, legislation, OMB directives,\n               modern business practices, customer service, and technology. HIFMIP will\n               encompass all of HUD\xe2\x80\x99s financial systems, including those supporting FHA and\n               Ginnie Mae. HUD had intended to begin the implementation in fiscal year 2006.\n               Due to delays with the procurement process, however, HUD anticipates that it\n               will not be able to begin the implementation of its core financial system until\n               fiscal year 2010. Until its core financial system is implemented, we believe that\n               the following weaknesses with HUD\xe2\x80\x99s financial management systems will\n               continue:\n\n               \xef\x82\xb7   HUD\xe2\x80\x99s ability to prepare financial statements and other financial information\n                   requires extensive compensating procedures.\n\n               \xef\x82\xb7   HUD has limited availability of information to assist management in\n                   effectively managing operations on an ongoing basis.\n\n\n\n\nSignificant Deficiency: Controls Over HUD\xe2\x80\x99s Computing Environment Can\nBe Further Strengthened\n\nHUD\xe2\x80\x99s computing environment, data centers, networks, and servers provide critical support to\nall facets of its programs, mortgage insurance, financial management, and administrative\noperations. In prior years, we reported on various weaknesses with general system controls and\ncontrols over certain applications, as well as weak security management. These deficiencies\nincrease risks associated with safeguarding funds, property, and assets from waste, loss,\nunauthorized use, or misappropriation.\n\nWe evaluated selected information systems general controls of HUD\xe2\x80\x99s computer systems on\nwhich HUD\xe2\x80\x99s financial systems reside. Our review found information systems control\nweaknesses that could negatively affect HUD\xe2\x80\x99s ability to accomplish its assigned mission,\nprotect its data and IT assets, fulfill its legal responsibilities, and maintain its day-to-day\nfunctions. Presented below is a summary of the control weaknesses found during the review.\n\n\n\n\n                                                30\n\x0c                                      Security Management Program\n\nHUD has made significant progress with implementing security management as it relates to the\nFederal Information Security Management Act of 2002 (FISMA). For instance, HUD developed\nguidance for its Blackberry users, conducted regular meetings with information systems security\nofficers to discuss current issues and trends, and improved its process for monitoring and\ncorrecting information security weaknesses by more effectively using the plans of action and\nmilestones. However, additional progress is needed. Specifically, in fiscal year 2009, we found\nthat\n\n    \xef\x82\xb7    HUD did not properly categorize those systems containing personally identifiable\n         information (PII). HUD\xe2\x80\x99s inventory of automated systems was not current and did not\n         contain all systems with PII.\n\n    \xef\x82\xb7    HUD did not properly report 5 of 34 category I4 security incidents to the proper\n         authorities within the mandated timeframes.\n\n\n                           Security Controls Over HUD\xe2\x80\x99s Web Applications\n\nWe audited security controls over HUD\xe2\x80\x99s Web applications5 and identified weaknesses in the\nareas of security configurations and technical controls. For instance, HUD did not ensure that\naccess controls followed the principle of least privilege for Web application configurations.\nWeak Web application security configurations disclose potentially sensitive information that\nmay enable a malicious user to devise exploits of the application and the resources it accesses.\nThis weakness could also potentially expose sensitive or confidential information as well as\nuseful information that may enable a malicious user to devise effective and efficient exploits of\nthe application and the resources it accesses.\n\nHUD did not adequately implement controls to ensure confidentiality and privacy for Web\napplications. These weaknesses were not exploitable vulnerabilities, but they were a violation of\nsecurity policy because the configurations potentially allowed access to data that are required to\nbe confidential by law. When weak privacy controls exist, they breach confidentiality\nrequirements to protect sensitive information. An attacker can take advantage of these\nvulnerabilities to discover and access sensitive and confidential data. Further, HUD did not\nadequately review Web applications for vulnerabilities and patch them. Exploiting\nvulnerabilities can breach confidentiality requirements to reveal sensitive information.\n\n\n\n\n                               Disaster Recovery Grant Reporting System\n\n\n4\n  In this category, an individual gains logical or physical access without permission to a Federal agency network,\nsystem, application, data, or other resource.\n5\n  Audit Report No. 2009-DP-0006, Review of HUD's Web Application Systems, issued September 29, 2009\n\n\n                                                         31\n\x0cWe audited selected controls within the Disaster Recovery Grant Reporting System (DRGR)6\nrelated to Neighborhood Stabilization Program (NSP) funding. We found that (1) access control\npolicies and procedures for DRGR violate HUD policy, (2) the system authorization to operate is\noutdated and based upon inaccurate and untested documentation, (3) CPD did not adequately\nseparate the DRGR system and security administration functions, and (4) CPD has not\nsufficiently tested interface transactions between DRGR and LOCCS. As a result, CPD cannot\nensure that only authorized users have access to the application, user access is limited to only the\ndata that are necessary for them to complete their jobs, and users who no longer require access to\nthe data in the system have had their access removed. Further, the failure to sufficiently test\ninterface transactions between DRGR and LOCCS leaves HUD with limited assurance that the\n$5.9 billion in NSP funding was accurately processed.\n\n\n                         Recovery Act Management and Reporting System\n\nOur review of HUD\xe2\x80\x99s management procedures, practices, and controls related to the Recovery\nAct Management and Reporting System (RAMPS)7 found that while HUD has taken actions to\ncomply with the reporting requirements under the Recovery Act, it did not fully comply with the\nreporting requirements to ensure that the recipients\xe2\x80\x99 use of all recovery funds is transparent to the\npublic and that the public benefits of these funds are reported clearly, accurately, and in a timely\nmanner.\n\nWe reviewed the April 30 and July 15, 2009, National Environmental Policy Act (NEPA) reports\nand found that HUD program offices did not have existing systems to collect the NEPA data,\nwere not able to use the newly developed RAMPS system, or were not provided training on how\nto use the system. As a result, HUD was not able to provide the NEPA status to the public in an\naccurate and timely manner for more than $2.9 billion in obligated funds. Additionally, HUD\ndid not complete required security and privacy documents before or during the early phase of\nsystem development. HUD did not follow Federal and HUD security policies for implementing\nthese security requirements for RAMPS. As a result, HUD officials could not ensure that all\nsecurity controls were in place, implemented correctly, and operating as intended.\n\n\n                              Security Controls Over HUD\xe2\x80\x99s Databases\n\nDuring fiscal year 2008, we evaluated security controls over HUD\xe2\x80\x99s databases.8 We identified\nsecurity configuration and technical control deficiencies within HUD\xe2\x80\x99s database security controls\nin the areas of (1) passwords, (2) system patches, and (3) system configuration. We followed up\non the status of these weaknesses during fiscal year 2009 and determined that technical control\ndeficiencies relating to database passwords and database patches have been reviewed and\ncorrected as the Office of the Chief Information Officer (OCIO) deemed appropriate. OCIO has\nnot yet implemented secure configuration baselines for databases and the reviews for monitoring\n\n6\n  Audit Report No. 2009-DP-0007, Review of Selected Controls within the Disaster Recovery Grant Reporting\nSystem, issued September 30, 2009.\n7\n  Audit Report No. 2009-DP-0008, Audit Report on the Review of Recovery Act Management and Reporting\nSystem (RAMPS), issued September 30, 2009\n8\n  Audit Report No. 2008-DP-0007, Evaluation of HUD \xe2\x80\x99s Security Controls over Databases, issued September 11,\n2008\n\n\n                                                     32\n\x0cthose configurations. This corrective action is not scheduled to be completed until December 31,\n2010.\n\n\n                                       HUD\xe2\x80\x99s Procurement System\n\nWe audited HUD\xe2\x80\x99s procurement systems in fiscal year 2006.9 Through actions taken during\nfiscal years 2007, 2008, and 2009, the Office of the Chief Procurement Officer (OCPO) has\nmade progress toward resolving the issues identified during the audit. However, two significant\nrecommendations made in the audit report remain open, and the procurement systems continue to\nbe noncompliant with Federal financial management requirements. OCPO has yet to complete\nthe corrective actions for the known open information security vulnerabilities. In addition,\nOCPO has not yet implemented functionality to ensure that there is sufficient information within\nHUD\xe2\x80\x99s current procurement systems to support the primary acquisition functions of fund\ncertification, obligation, deobligation, payment, and closeout. OCPO plans to replace the current\nacquisition systems and during fiscal year 2009, obtained $3.7 million in funding to purchase a\ncommercial off-the-shelf application. The acquisition of the new application is anticipated to be\ncomplete by June 30, 2010. However, full funding to complete the project has not been\nobtained; therefore, it is unclear when the new application will be fully implemented.\n\n\n                                         HUD\xe2\x80\x99s Financial Systems\n\nAs part of our review of HUD\xe2\x80\x99s information systems controls, we evaluated information security\ncontrols over the Nortridge Loan System (NLS), HUDCAPS, and Hyperion. We identified\ncontrol weaknesses that could negatively affect the integrity, confidentiality, and availability of\ncomputerized financial data within two of HUD\xe2\x80\x99s financial systems\xe2\x80\x94NLS and HUDCAPS. We\nalso followed up on previously identified control weaknesses within LOCCS.\n\n\n                            Loan Accounting System/Nortridge Loan System\n\nHUD\xe2\x80\x99s Loan Accounting System utilizes an off-the-shelf program entitled the Nortridge Loan\nSystem (NLS). HUD utilizes this application to maintain loan portfolio information for the\nSection 202 Housing for the Elderly and Handicapped Loan Program and the Flexible Subsidy\nProgram. During fiscal year 2009, we reviewed access controls for this application and found\nthat controls needed to be strengthened. We determined that controls over the NLS user\nrecertification process were not effective to ensure that all users with access to the production\ndata were properly recertified. In addition, HUD did not appropriately separate the functions of\nsystem administration and system security within NLS. By not ensuring that the access levels of\nall NLS users were reviewed, HUD was unable to ensure that users only had access to the data\nthat were necessary for them to complete their jobs, that only authorized users had access to the\nsystem, and that users who no longer required access to the data in the system had their access\nremoved. Inadequately segregated duties increase the risk that erroneous or fraudulent\ntransactions could be processed, that improper program changes could be implemented, and that\n\n\n9\n    Audit Report No. 2007-DP-0003, Review of HUD\xe2\x80\x99s Procurement Systems, issued January 25, 2007\n\n\n                                                      33\n\x0ccomputer resources could be damaged or destroyed. OCFO provided documentation to support\ncompletion of planned corrective actions. We are reviewing this documentation.\n\n\n                                            HUDCAPS\n\nHUDCAPS is part of HUD\xe2\x80\x99s core financial system. It captures, reports, controls, and\nsummarizes the results of the accounting processes including budget execution and funds\ncontrol, accounts receivable and collections, accounts payable, and general ledger. In our fiscal\nyear 2007 audit, we found that OCFO granted two contracted developers above-read access to\nthe HUDCAPS production data stored within the mainframe environment without documenting\neither their acceptance of the risks associated with or the justification for this access level. The\ndocumentation to support this access was not maintained by the system owner, and acceptance of\nthe risks associated with this access level was not documented in the system security plan.\nAdditionally, neither of the two developers received the required level of background\ninvestigation. One developer received only a minimum background investigation. The other\ndeveloper was not investigated at all. OCFO has completed actions to address these issues.\n\nDuring audit work completed in fiscal year 2009, however, we found that HUD did not take\nsteps to ensure that IT contractors were properly rescreened to ensure their continued eligibility\nto access sensitive systems and application data in accordance with HUD guidelines.\nSpecifically, HUD did not initiate updated background investigations for contractor personnel\nwith access to HUDCAPS every five years as required by HUD policy. As of December 2008,\nOCFO had not initiated updated background investigations for 10 of the 20 contractors with\nabove-read access to the HUDCAPS application. The background of one contractor employee\nhad not been reassessed since 1975. Background investigations ensure, to the extent possible,\nthat employees are suitable to perform their duties. By not performing required background\nscreenings, HUD increased its risk that unsuitable individuals would have access to sensitive\nsystems and data.\n\n\n                                             LOCCS\n\nDuring our fiscal year 2007 audit, we found that the controls over the LOCCS user recertification\nprocess were not effective to verify the access of all users. Systemic deficiencies led to the\nomission of more than 10,000 users from the LOCCS recertification process. An additional 199\nusers had last recertification dates within the application before March 31, 2006, indicating that\nthey also were not included in the fiscal year 2007 recertification process. During fiscal year\n2008, OCFO made improvements to this process by generating a report from the system that\nallowed it to identify users that only had approving authority within the application for the user\nrecertification process. During fiscal year 2009, OCFO made additional adjustments to the\nreport it created. Our review of the data from both 2008 and 2009 again identified LOCCS users\nthat were not recertified by the system. As a result, we concluded that further improvements are\nnecessary to ensure that all users of LOCCS are recertified in accordance with HUD policy and\nthat the corrective action taken in response to our 2007 finding did not fully address the problem.\n\n\n\n\n                                                34\n\x0c                              IBM Mainframe z/OS Operating System\n\nIn fiscal year 2008, we found that HUD had not ensured that (1) the account and sensitive access\nprivileges of a departed user were removed from the IBM mainframe and (2) libraries and data\nfiles within the IBM mainframe environment were adequately secured. These weaknesses could\nlead to unauthorized individuals using system software to circumvent security controls to read,\nmodify, or delete critical or sensitive information and programs.\n\nDuring our fiscal year 2009 review, we determined that HUD had removed the account and\nsensitive access privileges of a departed user from the IBM mainframe. However, HUD had not\ncompleted the task of securing libraries and data files within the IBM mainframe environment.\n\n                                Software Configuration Management\n\nWe previously reported that the configuration management10 plan for Institution Master File\n(IMF) contained outdated information. We also reported that HUD did not ensure that its IT\nsupport contractor provided the proper version of a configuration management tool used by five\nof its applications. Without updated configuration management documentation, HUD risks that\noutdated policies and plans may not address current risk and, therefore, be ineffective.\n\nHUD has not yet fully resolved the issue of the outdated version of the configuration\nmanagement tool. HUD has made progress in updating the configuration management plan for\nIMF. However, configuration management plans for several FHA applications identified in our\nfiscal year 2007 review still have not been updated to include reported issues such as incomplete\nor outdated information.\n\nAs part of our fiscal year 2009 audit, we reviewed the configuration management plan for the\nIntegrated Disbursement and Information System OnLine (IDIS OnLine). This configuration\nmanagement plan also lacked information and contained outdated information. Details of this\nfinding will be included in our report for our fiscal year 2009 review of information systems\ncontrols in support of the financial statements audit to be issued during 2010.\n\n\n                                          Contingency Planning\n\nSince 2006, we have reported that HUD\xe2\x80\x99s disaster recovery plan contained outdated information.\nWe recommended that HUD regularly review its disaster recovery plan to ensure that the\ndocument reflects current conditions. HUD explained that a contract modification was required\nto update the listing of critical applications and planned to accomplish this modification by\nDecember 31, 2007. During our fiscal year 2009 review, we found that HUD had updated\nlistings for the recovery team and critical applications. However, the disaster recovery plan still\ncontained conflicting information. Additionally, we found that disaster recovery exercises did\nnot fully test system functionality because critical applications were not verified through\ntransaction and batch processing and the exercises did not include recovery of all applications\nthat interface with the critical systems. By not having current information in the disaster\n\n10\n  Configuration management is the control and documentation of changes made to a system\xe2\x80\x99s hardware, software,\nand documentation throughout the development and operational life of the system.\n\n\n                                                      35\n\x0crecovery plan and fully testing system functionality during disaster recovery exercises, HUD\ncannot ensure that its systems and applications will function as intended in an actual emergency.\n\nIn 2008, we reported that contingency planning at third-party business sites was inadequate.\nStaffs were unfamiliar with or had limited knowledge of contingency planning requirements, and\ndocumentation was not readily available for use in case of emergency. We determined that HUD\nhad not specified contingency planning, continuity of operations, or disaster recovery\nrequirements in its agreements with third-party business partners. Such information is usually\nincluded in the terms and conditions of a contract or service-level agreement with the external\nbusiness partner. Consequently, third-party business partners developed limited contingency\nplanning policies that did not meet HUD or National Institute of Standards and Technology\n(NIST) requirements. Management generally agreed that corrective action was needed, but had\nnot yet taken action on any of OIG\xe2\x80\x99s recommendations.\n\n                                             Physical Security\n\nThis year, we performed on-site reviews of physical security controls in place at the network\noperations center and the data center, both maintained by HUD\xe2\x80\x99s two IT infrastructure\ncontractors. We concluded that physical security and environment controls at these facilities\nwere generally in place. We did not identify any significant control weaknesses.\n\nDuring fiscal year 2008, we evaluated how HUD\xe2\x80\x99s third-party business partners11 compensate\nfor the lack of physical security controls when information is removed from, maintained, or\naccessed from outside the agency location. We reported that physical security at the third-party\nbusiness sites we visited was inadequate and weaknesses existed at those sites. We found\ninstances in which servers were located in common areas (i.e., lunch rooms, halls), case binders\nwith PII were left unattended, no guard or receptionist was at the entrance, access doors were\nunlocked, and encryption of data residing on laptops or portable devices was not a requirement.\nHUD had not specified the level of security controls and included it in the terms and conditions\nof the contract or service-level agreement with the external business partner. As a result, third-\nparty business partners have developed various IT security controls and policies that do not meet\nHUD or Federal requirements and, therefore, cannot be relied upon to provide adequate\nprotection of HUD\xe2\x80\x99s sensitive data. Management generally agreed that corrective action was\nneeded but had not taken action on any of OIG\xe2\x80\x99s recommendations.\n\n\n\n\n11\n  Third-party business partners are external business partners who contract to do business with HUD such as\nhousing authorities and mortgage lenders who use the PIH Inventory Management System (PIH-IMS), Tenant\nRental Assistance Certification System (TRACS), and Computerized Homes Underwriting Management System\n(CHUMS).\n\n\n\n                                                      36\n\x0cSignificant Deficiency: Weak Personnel Security Practices Continue To Pose\nRisks of Unauthorized Access to HUD\xe2\x80\x99s Critical Financial Systems\nFor several years, we have reported that HUD\xe2\x80\x99s personnel security practices regarding access to\nits systems and applications were inadequate. Deficiencies in HUD\xe2\x80\x99s IT personnel security\nprogram were found, and recommendations were made to correct the problems. However, the\nrisk of unauthorized access to HUD\xe2\x80\x99s financial systems remains a critical issue. We followed up\non previously reported IT personnel security weaknesses and deficiencies and found that\ndeficiencies still existed. Specifically,\n\n   \xef\x82\xb7   Since 2004, we have reported that HUD did not have a complete list of all users with\n       above-read access at the application level. Those users with above-read access to\n       sensitive application systems are required to have a background investigation. Our\n       review this year found that HUD still did not have a central repository that lists all users\n       with access to HUD\xe2\x80\x99s general support and application systems. Consequently, in fiscal\n       year 2009, HUD still had no central listing for reconciling that all users who have access\n       to HUD\xe2\x80\x99s critical and sensitive systems have had the appropriate background\n       investigation.\n\n       While HUD\xe2\x80\x99s implementation in 2007 of the Centralized HUD Account Management\n       Process (CHAMP) was a step toward improving its user account management practices,\n       CHAMP remains incomplete and does not fully address OIG\xe2\x80\x99s concerns. Specifically,\n       we noted that\n\n           o CHAMP does not contain complete and accurate data. OCIO did not\n             electronically migrate data from the HUD Online User Registration System\n             (HOURS) into CHAMP. Instead, it chose to enter the legacy data manually.\n             However, this process had not been completed. In a July 2008 audit report, we\n             recommended that all offices within HUD provide the historical information\n             necessary to populate CHAMP. OCIO agreed with our recommendation, and\n             corrective action is scheduled for completion in December 2009.\n\n           o CHAMP does not contain a mechanism to escalate or reassign tasks that have not\n             been completed within a specified timeframe. In a July 2008 audit report, we\n             recommended that OCIO develop and implement such a mechanism. OCIO\n             agreed with the recommendation, and corrective action is scheduled for\n             completion in December 2009.\n\n           o HUD did not conduct a security categorization and a risk assessment for CHAMP\n             as required by Federal Information Processing Standards (FIPS) Publications\n             (PUB) 199 and 200. HUD\xe2\x80\x99s OCIO chose not to conduct a security categorization\n             and risk assessment for CHAMP because it believed that these items were not\n\n\n                                                37\n\x0c           required for CHAMP, which is listed as a process rather than a system. HUD also\n           believed that since CHAMP was exclusively owned by its IT contractor, it was\n           not subject to the requirements of a security categorization and a risk assessment.\n           Without a security categorization and risk assessment of CHAMP, HUD cannot\n           know the full extent of risks that the CHAMP process is vulnerable to or whether\n           adequate levels of security controls have been put into place to protect data and\n           applications impacted by CHAMP. OIG recommended that OCIO conduct a\n           security categorization and a risk assessment for CHAMP. OCIO agreed with this\n           recommendation; however, corrective action had not been taken.\n\n\xef\x82\xb7   Reconciliations to identify users with above-read (query) access to HUD mission-critical\n    (sensitive) applications but without appropriate background checks were not routinely\n    conducted. Officials from the Office of Security and Emergency Planning (OSEP) and\n    OCIO asserted that with the implementation of CHAMP and the new security manager\n    computer system, it would be impossible for an employee or contractor to obtain access\n    to any of HUD\xe2\x80\x99s systems without the appropriate background investigation. Thus, the\n    reconciliation was no longer needed.\n\n    Contrary to OSEP and OCIO\xe2\x80\x99s assertions, a reconciliation performed by OSEP for\n    second quarter 2009 identified 27 persons with the incorrect level of background\n    investigation, including three persons with no record of a background investigation\n    having been performed. In addition, although the HUD Personnel Security/Suitability\n    Handbook contains policies to suspend, deny, and terminate access of users who do not\n    meet its standards, we found no evidence that HUD OCIO had taken actions regarding\n    users without appropriate background investigations having access to HUD\xe2\x80\x99s sensitive\n    systems. As a result, HUD cannot ensure that its critical and sensitive information can be\n    protected from unauthorized access, loss, misuse, modification, or improper disclosure.\n\n    We remain concerned because the reconciliation included users of only one of HUD\xe2\x80\x99s\n    mission-critical systems. We previously reported that users of HUD\xe2\x80\x99s general support\n    systems on which these mission-critical applications reside were not included in the\n    reconciliations because they were not classified as mission critical. Having access to\n    general support systems typically includes access to system tools, which provide the\n    means to modify data and network configurations. We identified IT personnel, such as\n    database administrators and network engineers, who had access to these types of system\n    tools but did not have appropriate background checks. These persons were not identified\n    as part of the CHAMP reconciliation process.\n\n\n\n\n                                            38\n\x0c                Compliance With Laws and Regulations\n\nHUD Did Not Substantially Comply With the Federal Financial Management\nImprovement Act\nFFMIA requires auditors to report whether the agency\xe2\x80\x99s financial management systems\nsubstantially comply with the Federal financial management systems requirements and\napplicable accounting standards and support the U.S. Standard General Ledger (SGL) at the\ntransaction level. We found that HUD was not in substantial compliance with FFMIA because\nHUD\xe2\x80\x99s financial management system did not substantially comply with Federal financial\nmanagement system requirements.\n\nDuring fiscal year 2009, HUD made limited progress as it attempted to address its financial\nmanagement deficiencies to bring the agency\xe2\x80\x99s financial management systems into compliance\nwith FFMIA. Deficiencies remained as HUD\xe2\x80\x99s financial management systems continued to not\nmeet current requirements and were not operated in an integrated fashion and linked\nelectronically to efficiently and effectively provide agency-wide financial system support\nnecessary to carry out the agency\xe2\x80\x99s mission and support the agency\xe2\x80\x99s financial management\nneeds.\n\nHUD is required by OMB Circular A-127 to perform reviews of all HUD financial management\nsystems within a three year cycle. For the current three fiscal year cycle, fiscal year 2007 to\n2009, HUD only completed 7 of 40 required financial management system reviews.\n\n Federal Financial Management System\n Requirements\n\n              In its Fiscal Year 2009 Performance and Accountability Report, HUD reported\n              that 2 of its 40 financial management systems did not comply with the\n              requirements of FFMIA and OMB Circular A-127, Financial Management\n              Systems. Although 38 individual systems had been certified as compliant with\n              Federal financial management systems requirements, HUD had not adequately\n              performed independent reviews of these systems as required by OMB Circular A-\n              127. Collectively and in the aggregate, deficiencies continued to exist.\n\n              We continue to report as a significant deficiency that HUD financial management\n              systems need to comply with Federal financial management systems requirements.\n              The significant deficiency addresses how HUD\xe2\x80\x99s financial management systems\n              remain substantially noncompliant with Federal financial management\n              requirements.\n\n              FHA\xe2\x80\x99s auditor reports as significant deficiencies that (1) financial system capacity\n              limitations could impact business processing, (2) effective FHA modernization is\n              necessary to address systems risks, and (3) FHA should enhance the general\n\n\n                                               39\n\x0c               ledger system user access management processes. These significant deficiencies\n               address the challenges in FHA\xe2\x80\x99s capacity to simultaneously address various\n               system modernization initiatives and control deficiencies affecting the reliability\n               and completeness of FHA\xe2\x80\x99s financial information.\n\n               We also continue to report as significant deficiencies that (1) controls over\n               HUD\xe2\x80\x99s computing environment can be further strengthened and (2) weak\n               personnel security practices continue to pose risks of unauthorized access to the\n               Department\xe2\x80\x99s critical financial systems. These significant deficiencies discuss\n               how weaknesses with general controls and certain application controls and weak\n               security management increase risks associated with safeguarding funds, property,\n               and assets from waste, loss, unauthorized use, or misappropriation.\n\n               In addition, OIG audit reports have disclosed that security of financial information\n               was not provided in accordance with OMB Circular A-130, Management of\n               Federal Information Resources, appendix III, and FISMA.\n\nWe have included the specific nature of noncompliance issues, responsible program offices, and\nrecommended remedial actions in appendix C of this report.\n\n\n\n\nHUD Did Not Substantially Comply With the Antideficiency Act\n\nAlthough HUD\xe2\x80\x99s OCFO has improved its process for conducting, completing, reporting, and\nclosing the investigation of potential Antideficiency Act (ADA) violations in a timely manner,\ncontinued improvement is still needed. Our review determined that there were six ADA\nviolations that had not been reported immediately to the President through OMB, Congress, or\nGAO, as required by 31 U.S.C. (United States Code) 1351.1517(b) (Antideficiency Act). In\naddition, one potential ADA violation has been under review for two years without a final\ndetermination as to whether or not a violation had occurred.\n\nOCFO is responsible for investigating and reporting on violations of the ADA. Last year\xe2\x80\x99s audit\nconcluded that OCFO was not conducting, completing, reporting, and closing the investigation\nof potential ADA violations in a timely manner. As of the end of the fiscal year 2008 audit, six\ncases were determined by OCFO investigators to be ADA violations that warranted reporting,\nbut the six violations had not been reported as required. Follow-up on these six cases during our\ncurrent audit showed that four of the six ADA violations were reported to the President,\nCongress, and GAO on December 31, 2008. The remaining two ADA violations remained\nunreported. These two cases had been under investigation for four years and in report stage for\none year. There are an additional four cases, which were determined by OCFO investigators to\nbe ADA violations in 2009, which had not been reported as of the end of the 2009 audit. Three\nof these cases have been under investigation since 2006 and one since 2008.\n\nOCFO has made progress in closing out its case backlog. As of the end of fiscal year 2009,\nOCFO had closed 13 cases determined not to be ADA violations. However, our 2009 audit\n\n\n\n                                                40\n\x0cfound that one investigation had not been conducted or closed in a timely manner. This case has\nbeen under investigation since 2007 as OCFO continues to collect additional financial data for\nreview and analysis. To date, the investigator has not made a final determination as to whether\nor not it is an ADA violation. In addition, there have been three new ADA cases, which opened\nin January and June 2009, that were still in the preliminary data collection stage of the\ninvestigation, as of September 30, 2009.\n\n\n\n\n                                              41\n\x0cAppendix A\n                       Objectives, Scope, and Methodology\n\nManagement is responsible for\n\n*      Preparing the principal financial statements in conformity with generally accepted\n       accounting principles;\n*      Establishing, maintaining, and evaluating internal controls and systems to provide\n       reasonable assurance that the broad objectives of Federal Managers\xe2\x80\x99 Financial Integrity\n       Act are met; and\n*      Complying with applicable laws and regulations.\n\nIn auditing HUD\xe2\x80\x99s principal financial statements, we were required by Government Auditing\nStandards to obtain reasonable assurance about whether HUD\xe2\x80\x99s principal financial statements are\nfree of material misstatements and presented fairly in accordance with generally accepted\naccounting principles. We believe that our audit provides a reasonable basis for our opinion.\n\nIn planning our audit of HUD\xe2\x80\x99s principal financial statements, we considered internal controls\nover financial reporting by obtaining an understanding of the design of HUD\xe2\x80\x99s internal controls,\ndetermined whether these internal controls had been placed into operation, assessed control risk,\nand performed tests of controls to determine our auditing procedures for the purpose of\nexpressing our opinion on the principal financial statements. We are not providing assurance on\nthe internal control over financial reporting. Consequently, we do not provide an opinion on\ninternal controls. We also tested compliance with selected provisions of applicable laws,\nregulations, and government policies that may materially affect the consolidated principal\nfinancial statements. Providing an opinion on compliance with selected provisions of laws,\nregulations, and government policies was not an objective, and, accordingly, we do not express\nsuch an opinion.\n\nWe considered HUD\xe2\x80\x99s internal control over required supplementary stewardship information\nreported in HUD\xe2\x80\x99s Fiscal Year 2009 Performance and Accountability Report by obtaining an\nunderstanding of the design of HUD\xe2\x80\x99s internal controls, determined whether these internal\ncontrols had been placed into operation, assessed control risk, and performed limited testing\nprocedures as required by AU Section 558, Required Supplementary Information. The tests\nperformed were not to provide assurance on these internal controls, and, accordingly, we do not\nprovide assurance on such controls.\n\nWith respect to internal controls related to performance measures to be reported in the\nManagement\xe2\x80\x99s Discussion and Analysis and HUD\xe2\x80\x99s Fiscal Year 2009 Performance and\nAccountability Report, we obtained an understanding of the design of significant internal\ncontrols relating to the existence and completeness assertions as described in Section 230.5 of\nOMB Circular A-11, Preparation, Submission and Execution of the Budget. We performed\nlimited testing procedures as required by AU Section 558, Required Supplementary Information,\nand OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements, as amended.\nOur procedures were not designed to provide assurance on internal control over reported\nperformance measures, and, accordingly, we do not provide an opinion on such controls.\n\n\n                                               42\n\x0cTo fulfill these responsibilities, we\n\n*      Examined, on a test basis, evidence supporting the amounts and disclosures in the\n       consolidated principal financial statements;\n*      Assessed the accounting principles used and the significant estimates made by\n       management;\n*      Evaluated the overall presentation of the consolidated principal financial statements;\n*      Obtained an understanding of internal controls over financial reporting, executing\n       transactions in accordance with budget authority, compliance with laws and regulations,\n       and safeguarding assets;\n*      Tested and evaluated the design and operating effectiveness of relevant internal controls\n       over significant cycles, classes of transactions, and account balances;\n*      Tested HUD\xe2\x80\x99s compliance with certain provisions of laws and regulations; government-\n       wide policies, noncompliance with which could have a direct and material effect on the\n       determination of financial statement amounts; and certain other laws and regulations\n       specified in OMB Bulletin 07-04, as amended, including the requirements referred to in\n       the Federal Managers\xe2\x80\x99 Financial Integrity Act;\n*      Considered compliance with the process required by the Federal Managers\xe2\x80\x99 Financial\n       Integrity Act for evaluating and reporting on internal control and accounting systems; and\n*      Performed other procedures we considered necessary in the circumstances.\n\nWe did not evaluate the internal controls relevant to operating objectives as broadly defined by\nthe Federal Managers\xe2\x80\x99 Financial Integrity Act. We limited our internal control testing to those\ncontrols that are material in relation to HUD\xe2\x80\x99s financial statements. Because of inherent\nlimitations in any internal control structure, misstatements may nevertheless occur and not be\ndetected. We also caution that projection of any evaluation of the structure to future periods is\nsubject to the risk that procedures may become inadequate because of changes in conditions or\nthat the effectiveness of the design and operation of policies and procedures may deteriorate.\n\nOur consideration of the internal controls over financial reporting would not necessarily disclose\nall matters in the internal controls over financial reporting that might be significant deficiencies.\nWe noted certain matters in the internal control structure and its operation that we consider\nsignificant deficiencies under OMB Bulletin 07-04, as amended. Under standards issued by the\nAmerican Institute of Certified Public Accountants, a significant deficiency is a deficiency or a\ncombination of deficiencies, in internal control such that there is more than a reasonable\npossibility that a misstatement of the entity\xe2\x80\x99s financial statements will not be prevented or\ndetected.. It is less severe than a material weakness, yet important enough to merit attention by\nthose charged with governance.\n\nA material weakness is a significant deficiency, or combination of significant deficiencies, that\nresult in a reasonable possibility that a material misstatement of the financial statements will not\nbe prevented, or detected and corrected on a timely basis.\n\nOur work was performed in accordance with generally accepted government auditing standards\nand OMB Bulletin 07-04, as amended.\n\n\n\n\n                                                 43\n\x0cThis report is intended solely for the use of HUD management, OMB, and the Congress.\nHowever, this report is a matter of public record, and its distribution is not limited.\n\n\n\n\n                                              44\n\x0cAppendix B\n                                    Recommendations\n\n\nTo facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking\nSystem (ARCATS), this appendix lists the newly developed recommendations resulting from our\nreport on HUD\xe2\x80\x99S fiscal year 2009 financial statements. Also listed are recommendations from\nprior years\xe2\x80\x99 reports that have not been fully implemented. This appendix does not include\nrecommendations pertaining to FHA and Ginnie Mae issues because they are tracked under\nseparate financial statement audit reports of that entity.\n\n\n                 Recommendations From the Current Report\nWith respect to the significant deficiency that the Office of Community Planning and\nDevelopment (CPD) needs to improve its oversight of grantees, we recommend that CPD\n\n       1.a.   Follow existing policies and regulations to conduct an annual review of whether the\n              States obligated and announced 100 percent of their grant award within 15 months\n              of signing the grant agreement with HUD.\n\n       1.b.   Follow existing policies and regulations that require follow-up and remedial action\n              against States that are in noncompliance.\n\n       1.c.   Ensure that the most complete and accurate data is used to conduct the review of\n              the timeliness requirement for the State Community Development Block Grant\n              (CDBG) program.\n\n       1.d.   Consider modifying an existing system to create an automated process that will\n              house all of the data needed to review the timeliness requirement for the State\n              CDBG program to create a more effective and efficient process.\n\n       1.e.   Determine whether the $24.7 million in unexpended funds for the HOME program\n              from fiscal years 2001 and earlier that are not spent in a timely manner should be\n              recaptured and reallocated in next year\xe2\x80\x99s formula allocation.\n\n       1.f.    Develop a policy for the HOME program that would track expenditure deadlines\n              for funds reserved and committed to community housing development\n              organizations and subgrantees separately.\n\n       1.g.   Ensure that its field offices review the status of the identified contracts and\n              recapture up to the $42 million identified in undisbursed obligations for expired\n              contracts that were funded with grants during 1997-2001 for homeless assistance\n              programs and consider the funds for inclusion in the fiscal year 2010 Continuum of\n              Care competition.\n\n\n\n\n                                               45\n\x0c       1.h.   Develop policy and procedures that ensure an annual review of the status of each of\n              its homeless assistance contracts and recommend deobligations and recapture of\n              excess funds when applicable.\n\n       1.i.   Develop the management reports needed to effectively track its homeless\n              assistance program contract expiration dates.\n\n       1.j.   Require field offices to monitor participating jurisdictions to ensure that project\n              completion information and beneficiary data are complete, accurate, and entered\n              into HUD\xe2\x80\x99s Integrated Disbursement and Information System (IDIS) monthly for\n              the HOME program.\n\n       1.k. Require participating jurisdictions for the HOME program to have quality control\n            systems in place to ensure that the required project completion information and\n            beneficiary data are complete, accurate, and entered into IDIS monthly.\n\n       1.l.   Require field offices to follow up with participating jurisdictions on slow-moving\n              projects to determine the reason for the delays in the HOME program.\n\nWith respect to the significant deficiency that HUD management must continue to improve\noversight and monitoring of subsidy calculations, intermediaries\xe2\x80\x99 performance, and Housing\nChoice Voucher funds, we recommend that the Office of Public and Indian Housing, in\ncoordination with the Office of General Counsel,\n\n       2.a.   Seek legislative authority to implement $317 million or the balance categorized as\n              unusable as of December 2010 in offsets against public housing agencies\xe2\x80\x99 (PHA)\n              excess unusable funding held in the net restricted assets account.\n\n       2.b. Seek legislative authority to retain such funding offsets as a resource to create\n            reserves that will enable HUD to quickly reallocate resources where needed to\n            supplement any future deficiencies and/or to provide funding required due to a late\n            enactment of appropriation.\n\nWith respect to the significant deficiency that HUD management must continue to improve\noversight and monitoring of subsidy calculations, intermediaries\xe2\x80\x99 performance, and Housing\nChoice Voucher funds, we recommend that the Office of Public and Indian Housing\n\n       2.c. Develop a mechanism in the Voucher Management System that enables HUD to (1)\n            track and compare what the PHAs spend and receive in administrative fee expenses\n            and (2) capture transfers between housing assistance and the funds for\n            administrative fees, resulting in better estimates of net restricted assets account\n            calculated balances.\n\n       2.d. Develop procedures to validate the net restricted assets account balances as part of\n            its on-site monitoring review of PHAs and initiate reviews earlier in the year to\n            ensure that excess funding in PHAs\xe2\x80\x99 net restricted assets account is accurate before\n            funding decisions are made.\n\n\n\n                                                46\n\x0cWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Chief Financial Officer, in coordination with the\nappropriate program offices,\n\n       3.a. Deobligate the $8.8 million in administrative and program unliquidated obligations\n            that were marked for deobligation.\n\n       3.b. Promptly perform contract closeout reviews and recapture of invalid obligations.\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Chief Financial Officer, in coordination with the\nOffice of Housing,\n\n       3.c.   Deobligate $4.7 million in excess unexpended rental assistance and rent\n              supplement funds identified by HUD\xe2\x80\x99s fiscal year 2009 financial statement audit.\n\n       3.d.   Fully implement quarterly scheduled recapture review and reconciliation\n              procedures to ensure that excess undisbursed contract authority from rental\n              assistance payments and rent supplement projects is recaptured in a timely manner.\n\n       3.e.   Deobligate $23.4 million in excess unexpended Section 236 funds identified by\n              HUD\xe2\x80\x99s fiscal year 2009 financial statement audit.\n\n       3.f.   Fully implement the revised quarterly contract reconciliation procedure to ensure\n              that Section 236 obligations reported are valid and can be more accurately\n              estimated and reported.\n\n       3.g.   Review supporting contracts to support $75.3 million in undisbursed Section 8\n              project-based contract/budget authority associated with 692 expired or inactive\n              contracts that we identified during our review or recapture funds if they cannot be\n              supported.\n\n        3.h. Enter expiration dates and perform a detailed review of 562 Section 8 project-based\n             contracts with no expiration dates reported in the Program Accounting System\n             (PAS) to determine whether they are active contracts. Excess funds associated with\n             contracts later determined to be expired should be recaptured. These funds could\n             be put to better use to fund other projects that need funding.\n\n       3.i.   Section 8 project-based contracts with 325 funding lines/increments, expiration\n              dates before January 1, 2009, and totaling more than $70 million reported in PAS\n              should be reviewed and adjusted accordingly in PAS. These funds, up to $70\n              million, could be put to better use to fund other projects requiring funding.\n\n       3.j.   Implement a long-term financial management strategy and improvement plan and\n              address data and systems weaknesses to ensure that all Section 8 project-based\n              contracts are considered in the recapture/shortfall budget process.\n\n\n\n\n                                                47\n\x0c       3.k.   Research the expired Sections 202 and 811 contracts identified in our audit to\n              determine whether these are active contracts and/or recapture up to $20.2 million\n              associated with these expired contracts if they cannot be supported.\n\n       3.l.   Allocate additional resources to Sections 202 and 811 programs and design and\n              implement procedures to ensure that expiration dates are entered into the PAS\n              subsidiary ledger.\n\n       3.m. Enter expiration dates and perform a detailed review of approximately 3,500\n            Sections 202 and 811 contracts with no expiration dates reported in PAS to\n            determine whether they are active. Excess funds, associated with contracts\n            reported in PAS with no expiration dates that are later determined to be expired,\n            should be recaptured. These funds could be put to better use to fund other projects\n            that needed funding.\n\nWith respect to the significant deficiency that HUD's Financial Management Systems Need to\nComply with Federal Financial Management System Requirements, we recommend that the\nOffice of Community Planning and Development:\n\n       4.a.   Ensure that its programs are accounting for and reporting their financial and\n              performance information in accordance with federal financial management system\n              requirements.\n\nWith respect to HUD\xe2\x80\x99s substantial noncompliance with the Antideficiency Act (ADA), we\nrecommend that the Chief Financial Officer, in coordination with the appropriate program\noffices,\n\n       5.a.   Complete the investigations and determine whether or not ADA violations have\n              occurred, and if an ADA violation has occurred, immediately report to the\n              President, Congress, and GAO.\n\n       5.b.   Report the six ADA violations immediately to the President, Congress, and GAO,\n              as required by 31 U.S.C and OMB Circular A-11, upon receiving OCFO legal staff\n              concurrence with the investigation results.\n\n       5.c.   Develop and establish timeframes for reporting ADA violations once it is\n              determined a violation exists.\n\n\n\n\n         Unimplemented Recommendations From Prior Years\xe2\x80\x99 Reports\n\nNot included in the recommendations listed above are recommendations from prior years\xe2\x80\x99\nreports on HUD\xe2\x80\x99s financial statements that have not been fully implemented based on the status\nreported in ARCATS. HUD should continue to track these under the prior years\xe2\x80\x99 report numbers\nin accordance with departmental procedures. Each of these open recommendations and its status\n\n\n                                               48\n\x0cis shown below. Where appropriate, we have updated the prior recommendations to reflect\nchanges in emphasis resulting from recent work or management decisions.\n\n\nOIG Report Number 2009-FO-0003 (Fiscal Year 2008 Financial Statements)\n\nWith respect to the significant deficiency that HUD management must continue to improve\noversight and monitoring of subsidy calculations and intermediaries\xe2\x80\x99 program performance and\npromote full utilization of Housing Choice Voucher funds, we recommend that the Office of\nPublic and Indian Housing, in coordination with the Office of General Counsel,\n\n       1.a. Seek legislative authority to eliminate or modify the leasing restrictions placed on\n            the Housing Choice Voucher program (Final Action Target Date is December 31,\n            2011; reported in ARCATS as recommendation 1B).\n\nWith respect to the significant deficiency that HUD management must continue to improve\noversight and monitoring of subsidy calculations and intermediaries\xe2\x80\x99 program performance and\npromote full utilization of Housing Choice Voucher funds, we recommend that the Office of\nPublic and Indian Housing,\n\n       1.b. Increase the monitoring efforts over the Net Restricted Asset Account held by\n            PHAs (Final Action Target Date is December 31, 2011; reported in ARCATS as\n            recommendation 1C).\n\nWith respect to HUD\xe2\x80\x99s substantial noncompliance with the Federal Financial Management\nImprovement Act, we recommend that the Chief Financial Officer,\n\n       2.a. Develop a plan to comply with OMB A-127 review requirements, which results in\n            the evaluation of all HUD financial management systems within a 3-year cycle\n            (Final Action Target Date is November 30, 2009; reported in ARCATS as\n            recommendation 3A).\n\n\n\n\n                                               49\n\x0cAppendix C\n\nFederal Financial Management Improvement Act Noncompliance,\nResponsible Program Offices, and Recommended Remedial Actions\n\nThis appendix provides details required under Federal Financial Management Improvement Act\n(FFMIA) reporting requirements. To meet those requirements, we performed tests of\ncompliance using the implementation guidance for FFMIA issued by OMB and GAO\xe2\x80\x99s Financial\nAudit Manual. The results of our tests disclosed that HUD\xe2\x80\x99s systems did not substantially\ncomply with the foregoing requirements. The details for our basis of reporting substantial\nnoncompliance, responsible parties, primary causes, and HUD\xe2\x80\x99s intended remedial actions are\nincluded in the following sections.\n\nFederal Financial Management Systems Requirements\n1. HUD\xe2\x80\x99s annual assurance statement, issued pursuant to Section 4 of the Financial Manager\xe2\x80\x99s\nIntegrity Act, will report two nonconforming systems.12\n\n          The organizations responsible for systems that were found not to comply with the\n          requirements of OMB Circular A-127 based on HUD\xe2\x80\x99s assessments are as follows:\n\n\n      Responsible office                               Number of systems     Nonconforming systems\n      Office of Housing                                       18                        0\n      Office of the Chief Financial Officer                   12                        0\n      Office of Administration                                 2                        0\n      Office of the Chief Procurement Officer                  2                        2\n      Office of Community Planning and Development             3                        0\n      Office of Public and Indian Housing                      2                        0\n      Government National Mortgage Association                 1                        0\n      Totals                                                  40                        2\n\n\n\n\nThe following section outlines HUD\xe2\x80\x99s plan to correct noncompliance with OMB Circular A-127\nas submitted to us as of September 30, 2009, and unedited by us.\n\n\n\n\n12\n     The two nonconforming systems are A35-HUD Procurement System and P035-Small Purchase System.\n\n\n                                                     50\n\x0c51\n\x0c52\n\x0c53\n\x0c54\n\x0c55\n\x0c2. Our audit disclosed significant deficiencies regarding the security over financial\ninformation. Similar conditions have also been noted in other OIG audit reports. We are\nincluding security issues as a basis for noncompliance with FFMIA because of the\ncollective effect of the issue and noncompliance with Circular A-130, appendix 3, and the\nFederal Information Security Management Act (FISMA). The responsible office, nature of\nthe problem, and primary causes are summarized below:\n\nResponsible office       Nature of the problem\n\nOffice of Housing and    Financial system capacity limitations could impact business processing.\nOCIO\n                         To address the degradation on processing performance and high workload\n                         on business-critical housing systems, HUD increased capacity on the\n                         Unisys host platform. In addition, HUD upgraded network circuits and\n                         expanded Internet capacity critical to supporting FHA business activities.\n\n                         HUD also planned to migrate several large applications from the Unisys\n                         mainframe platform to an \xe2\x80\x95open systems\xe2\x80\x96 platform in 2009; however, the\n                         implementation did not occur as scheduled. Additional application and\n                         processing changes, (e.g., improved batch process scheduling and search\n                         databases) were also implemented to optimize the use of the processing\n                         resources.\n\n                         Throughout 2009, FHA and HUD closely monitored system use levels and\n                         increased data/processing capacity. HUD also recently contracted for the\n                         delivery of a new, larger mainframe (scheduled for full implementation\n                         November 30, 2009) to replace the existing IBM mainframe. FHA\n                         believes system use is now within acceptable levels, and management\n                         projects gradual declines in business volume for the next few years.\n\n                         The Office of the Chief Information Officer (OCIO) developed an informal\n                         written short-term capacity management plan at the end of fiscal year 2009\n                         that identifies the actions that have been taken and future activities required.\n                         However, because this growth in volume developed so quickly, the plan does\n                         not document (1) use benchmarks and required responses and (2) clear\n                         organizational and staff roles and responsibilities. Without a formalized plan,\n                         FHA and OCIO may not be able to sufficiently address further capacity\n                         issues effectively or in a timely manner, which may impact FHA\xe2\x80\x99s ability to\n                         process and record financial transactions reliably and in a timely manner.\n\nThese conditions occurred because of the increase in loan application and endorsement volume. And\nthe Unisys mainframe began to approach its operating capacity in the fall of 2008.\n\nOffice of Housing and Effective FHA modernization is necessary to address systems risks.\nOCIO\n                      In 2009, HUD commissioned a study to develop an IT strategy and\n                      improvement plan, which would identify strategic IT solutions to meet the\n                      agency\xe2\x80\x99s long-term programmatic objectives. This study served as a\n                      comprehensive IT systems risk assessment for FHA and thoroughly\n                      illustrates the many inefficiencies and limitations of the current system\n                      architecture. It examined operations at other Federal agencies and several\n                      mortgage, banking, and mortgage insurance operations. The study\n\n\n                                              56\n\x0cResponsible office        Nature of the problem\n\n                          recommended 33 technology and architecture approaches and 25 specific\n                          initiatives, including replacement of several of FHA\xe2\x80\x99s largest and most\n                          critical business systems. Critical objectives of the initiatives were to\n                                \xef\x82\xb7 Improve fraud detection\n                                \xef\x82\xb7 Improve risk management and loss mitigation\n                                \xef\x82\xb7 Improve program operations\n                                \xef\x82\xb7 Limit mission constraints related to dated technology\n\n                          Each initiative was reviewed, evaluated, and prioritized based on\n                          established risk criteria. The efforts to address these system\n                          recommendations are expected to take several years and cost hundreds of\n                          millions of dollars. FHA has taken a first step by appointing a full-time\n                          project management officer. In fiscal year 2010, FHA plans to perform a\n                          comprehensive risk assessment to ensure that this plan is consistent with\n                          the current OCIO strategic plan. Given their current state, FHA\xe2\x80\x99s financial\n                          systems will continue to require expensive maintenance and monitoring\n                          and are likely to pose increasing risks to the reliability of FHA\xe2\x80\x99s financial\n                          reporting and business operations until the modernization efforts are\n                          completed. The proposed plan should include an effective implementation\n                          plan and leadership team to ensure that the current systems are replaced\n                          within a timeframe that does not put FHA\xe2\x80\x99s financial operations at further\n                          risk.\n\nThese conditions occurred because FHA did not conduct a risk assessment of the various system\ninitiatives and required corrective actions in connection with the OCIO strategic plan and the IT\nstrategy and improvement plan.\n\nOffice of Housing         FHA should enhance the general ledger system user access management\nand OCIO                  processes.\n\n                          As indicated in the FHA Office of Housing IT strategy and improvement\n                          plan, \xe2\x80\x95FHA IT systems are a significant constraint on FHA\xe2\x80\x99s ability to\n                          rapidly and effectively adjust to this new environment. Over the last\n                          decade, little investment has been made in modernizing FHA\xe2\x80\x99s\n                          technology.\xe2\x80\x96 An initial step of system modernization was implemented in\n                          fiscal year 2009, with the integration of the Multifamily\n                          Endorsement/Premium and Claims processes into FHASL. During this\n                          implementation, additional developers and end-users were provided access\n                          to FHASL environments to perform various development activities,\n                          testing, and training functions. We noted that developers had access to the\n                          production environment in a greater than read-only capacity and end-users\n                          had access to the development environment. Additionally, we noted that\n                          four employees had excessive rights within the Multifamily Premiums\n                          module of FHASL (i.e., endorsement entry, premium reviewer,\n                          termination clerk, and mortgage servicer role) and compensating controls\n                          preventing the same user from performing incompatible functions on the\n                          same transaction were not effective. While granting these access levels\n                          may appear to improve the efficiency of system implementation, it\n                          increases the risk of transactions being inappropriately authorized and\n                          processed.\n\n\n\n                                              57\n\x0cResponsible office        Nature of the problem\n\n\n                          The monitoring of user business process functions within an application,\n                          audit logging, is essential in ensuring that only personnel with proper\n                          access rights are performing job functions. During fiscal year 2009, we\n                          noted that limited audit logging is performed over business functions; and\n                          the data elements that are being logged do not appear to be consequential\n                          to the process. Additionally, the audit logs produced are not reviewed to\n                          ensure that appropriate actions have been taken as required by HUD\n                          policy. A plan has been developed by the system owner that incorporates\n                          identifying the data elements to be audited, selecting the capture\n                          mechanism, defining reports and filters, and establishing the review\n                          process; however, this plan has not been implemented completely. The\n                          recording of auditable events and the periodic review of audit logs is\n                          essential to mitigate the risk of unauthorized access attempts or\n                          inappropriate personnel actions.\n\n                          A final component of user access management is the process of removing\n                          access no longer required by users. One method for completing this\n                          process is the disabling or removal of accounts after a specified period of\n                          inactivity. HUD policy mandates that inactive users be deleted after 90\n                          days of inactivity. We noted that approximately 30 user accounts with\n                          active access to FHASL had not logged into the application in more than\n                          90 days. FHASL is configured to have passwords automatically expire\n                          after 90 days of inactivity; however, these accounts are not permanently\n                          locked and can be reset by the user contacting the Help Desk. Accounts\n                          are manually deleted if they have been inactive for more than twelve\n                          months since the beginning of the previous year. In this situation, users do\n                          not have the ability to contact the Help Desk to reactivate their accounts.\n                          We noted that this process is manual because FHASL does not have an\n                          automated mechanism for disabling or removing accounts. By not\n                          disabling unused accounts timely, there is an increased risk that accounts\n                          may be used to gain unauthorized access to FHASL.\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\nprocedures.\n\nOCIO                      Weaknesses existed in HUD\xe2\x80\x99s security management program. Specifically,\n\n                              \xef\x82\xb7   HUD did not properly categorize those systems containing\n                                  personally identifiable information (PII). HUD\xe2\x80\x99s inventory of\n                                  automated systems was not current and did not contain all systems\n                                  with PII.\n\n                              \xef\x82\xb7   HUD did not properly report 5 of 34 category I security incidents\n                                  to the proper authorities within the mandated timeframes.\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\nprocedures.\n\nOCIO                      Weaknesses existed in security controls over HUD\xe2\x80\x99s Web applications and\n                          identified weaknesses in the areas of security configurations and technical\n\n\n                                              58\n\x0cResponsible office        Nature of the problem\n\n                          controls.\n\n                          For instance, HUD did not ensure that access controls followed the\n                          principle of least privilege for Web application configurations. Weak Web\n                          application security configurations disclose potentially sensitive\n                          information that may enable a malicious user to devise exploits of the\n                          application and the resources it accesses. This weakness could also\n                          potentially expose sensitive or confidential information as well as useful\n                          information that may enable a malicious user to devise effective and\n                          efficient exploits of the application and the resources it accesses.\n\n                          HUD did not adequately implement controls to ensure confidentiality and\n                          privacy for Web applications. These weaknesses were not exploitable\n                          vulnerabilities, but they were a violation of security policy because the\n                          configurations potentially allowed access to data that are required to be\n                          confidential by law. When weak privacy controls exist, they breach\n                          confidentiality requirements to protect sensitive information. An attacker\n                          can take advantage of these vulnerabilities to discover and access sensitive\n                          and confidential data. Further, HUD did not adequately review Web\n                          applications for vulnerabilities and patch them. Exploiting vulnerabilities\n                          can breach confidentiality requirements to reveal sensitive information.\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\nprocedures.\n\nOCIO                      Weaknesses existed in controls over HUD\xe2\x80\x99s Disaster Recovery Grant\n                          Reporting System (DRGR) related to the Neighborhood Stabilization\n                          Program (NSP) funding.\n\n                          We found that (1) access control policies and procedures for DRGR violated\n                          HUD policy, (2) the system authorization to operate is outdated and based\n                          upon inaccurate and untested documentation, (3) CPD did not adequately\n                          separate the DRGR system and security administration functions, and (4)\n                          CPD had not sufficiently tested interface transactions between DRGR and the\n                          Line of Credit Control System (LOCCS). As a result, CPD cannot ensure\n                          that only authorized users have access to the application, user access is\n                          limited to only the data that are necessary for them to complete their jobs, and\n                          users who no longer require access to the data in the system have had their\n                          access removed. Further, the failure to sufficiently test interface transactions\n                          between DRGR and LOCCS leaves HUD with limited assurance that the\n                          $5.9 billion in NSP funding was accurately processed.\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\nprocedures.\n\nOCIO                      Weaknesses existed in HUD\xe2\x80\x99s management procedures, practices, and\n                          controls related to the Recovery Act Management and Reporting System\n                          (RAMPS)\n\n                          We found that while HUD has taken actions to comply with the reporting\n                          requirements under the Recovery Act, it did not fully comply with the\n\n\n                                               59\n\x0cResponsible office        Nature of the problem\n\n                          reporting requirements to ensure that the recipients\xe2\x80\x99 use of all recovery\n                          funds is transparent to the public and that the public benefits of these\n                          funds are reported clearly, accurately, and in a timely manner.\n\n                          We reviewed the April 30 and July 15, 2009, National Environmental Policy\n                          Act (NEPA) reports and found that HUD program offices did not have\n                          existing systems to collect the NEPA data, were not able to use the newly\n                          developed RAMPS system, or were not provided training on how to use the\n                          system. As a result, HUD was not able to provide the NEPA status to the\n                          public in an accurate and timely manner for more than $2.9 billion in\n                          obligated funds. Additionally, HUD did not complete required security and\n                          privacy documents before or during the early phase of system development.\n                          HUD did not follow Federal and HUD security policies for implementing\n                          these security requirements for RAMPS. As a result, HUD officials could\n                          not ensure that all security controls were in place, implemented correctly,\n                          and operating as intended.\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\nprocedures.\n\nOCIO                      Weaknesses still existed in security controls over HUD\xe2\x80\x99s databases.\n\n                          During fiscal year 2008, we evaluated security controls over HUD\xe2\x80\x99s\n                          databases. We identified security configuration and technical control\n                          deficiencies within HUD\xe2\x80\x99s database security controls in the areas of (1)\n                          passwords, (2) system patches, and (3) system configuration. We followed\n                          up on the status of these weaknesses during fiscal year 2009 and determined\n                          that technical control deficiencies relating to database passwords and\n                          database patches had been reviewed and corrected as the Office of the Chief\n                          Information Officer (OCIO) deemed appropriate. OCIO has not yet\n                          implemented secure configuration baselines for databases and the reviews for\n                          monitoring those configurations. This corrective action is not scheduled to\n                          be completed until December 31, 2010.\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\nprocedures.\n\nOCPO                      Control weaknesses still existed for HUD Procurement System (HPS) and\n                          HUD Small Purchase System (SPS). Specifically,\n\n                          Two significant recommendations made in the audit report remained open,\n                          and the procurement systems continued to be noncompliant with Federal\n                          financial management requirements. The Office of the Chief Procurement\n                          Officer (OCPO) has yet to complete the corrective actions for the known\n                          open information security vulnerabilities. In addition, OCPO had not\n                          implemented functionality to ensure that there is sufficient information within\n                          HUD\xe2\x80\x99s current procurement systems to support the primary acquisition\n                          functions of fund certification, obligation, deobligation, payment, and\n                          closeout. OCPO plans to replace the current acquisition systems and during\n                          fiscal year 2009, obtained $3.7million in funding to purchase a commercial\n                          off-the-shelf application. The acquisition of the new application is\n\n\n                                              60\n\x0cResponsible office        Nature of the problem\n\n                          anticipated to be complete by June 30, 2010. However, full funding to\n                          complete the project had not been obtained; therefore, it is unclear when the\n                          new application will be fully implemented.\n\nThese conditions occurred because OCPO had not been able to secure funding to complete the planned\ncorrective action.\n\nOCIO and OCFO             Control weaknesses that could negatively affect the integrity,\n                          confidentiality, and availability of computerized financial data within three\n                          of HUD\xe2\x80\x99s financial systems \xe2\x80\x93 Nortridge Loan System (NLS), HUD\xe2\x80\x99s\n                          Central Accounting and Program System (HUDCAPS), and Line of\n                          Credit Control System (LOCCS) - still existed. Specifically,\n\n                          Access controls over HUD\xe2\x80\x99s NLS needed to be strengthened. We\n                          determined that controls over the NLS user recertification process were not\n                          effective to ensure that all users with access to the production data were\n                          properly recertified. In addition, HUD did not appropriately separate the\n                          functions of system administration and system security within NLS. By\n                          not ensuring that the access levels of all NLS users were reviewed, HUD\n                          was unable to ensure that users only had access to the data that were\n                          necessary for them to complete their jobs, that only authorized users had\n                          access to the system, and that users who no longer required access to the\n                          data in the system had their access removed. Inadequately segregated\n                          duties increase the risk that erroneous or fraudulent transactions could be\n                          processed, that improper program changes could be implemented, and that\n                          computer resources could be damaged or destroyed. OCFO provided\n                          documentation to support completion of planned corrective actions.\n\n                          In fiscal year 2009, we found that HUD did not take steps to ensure that IT\n                          contractors were properly rescreened to ensure their continued eligibility\n                          to access sensitive systems and application data in accordance with HUD\n                          guidelines. Specifically, HUD did not initiate updated background\n                          investigations for contractor personnel with access to HUDCAPS every 5\n                          years as required by HUD policy. As of December 2008, OCFO had not\n                          initiated updated background investigations for 10 of the 20 contractors\n                          with above-read access to the HUDCAPS application. The background of\n                          one contractor employee had not been reassessed since 1975. Background\n                          investigations ensure, to the extent possible, that employees are suitable to\n                          perform their duties. By not performing required background screenings,\n                          HUD increased its risk that unsuitable individuals would have access to\n                          sensitive systems and data.\n\n                          Again in fiscal year 2009, we were able to identified LOCCS users that\n                          were not recertified by the system. As a result, we concluded that further\n                          improvements are necessary to ensure that all users of LOCCS are\n                          recertified in accordance with HUD policy and that the corrective action\n                          taken in response to our 2007 finding did not fully address the problem.\n\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\n\n\n\n                                              61\n\x0cResponsible office        Nature of the problem\n\nprocedures.\n\nOCIO                      Weaknesses still existed in security controls over HUD\xe2\x80\x99s IBM mainframe.\n\n                          In fiscal year 2009, we determined that HUD had not completed the task\n                          of securing libraries and data files within the IBM mainframe\n                          environment.\n\nThese conditions occurred because HUD\xe2\x80\x99s management did not consistently enforce policies and\nprocedures.\n\nOCIO                      Weaknesses still existed in security controls over HUD\xe2\x80\x99s software\n                          configuration management.\n\n                          We previously reported that the configuration management plan for\n                          Institution Master File (IMF) contained outdated information. We also\n                          reported that HUD did not ensure that its IT support contractor provided\n                          the proper version of a configuration management tool used by five of its\n                          applications. Without updated configuration management documentation,\n                          HUD risks that outdated policies and plans may not address current risk\n                          and, therefore, be ineffective.\n\n                          HUD had not yet fully resolved the issue of the outdated version of the\n                          configuration management tool. HUD had made progress in updating the\n                          configuration management plan for IMF. However, configuration\n                          management plans for several FHA applications identified in our fiscal\n                          year 2007 review still have not been updated to include reported issues\n                          such as incomplete or outdated information.\n\n                          In fiscal year 2009, we found that the configuration management plan for\n                          the Integrated Disbursement and Information System OnLine (IDIS\n                          OnLine) also lacked information and contained outdated information.\n\nThese conditions occurred because management did not consistently enforce policies and procedures.\n\n\n\n\n                                              62\n\x0cResponsible office          Nature of the problem\n\nOCIO                        Weaknesses still existed in controls over HUD\xe2\x80\x99s contingency planning.\n\n                            In fiscal year 2009, we found that HUD had updated listings for the\n                            recovery team and critical applications. However, the disaster recovery\n                            plan still contained conflicting information. Additionally, we found that\n                            disaster recovery exercises did not fully test system functionality because\n                            the critical applications were not verified through transaction and batch\n                            processing and the exercises did not include recovery of all applications\n                            that interface with the critical systems. By not having current information\n                            in the disaster recovery plan and fully testing system functionality during\n                            disaster recovery exercises, HUD cannot ensure that its systems and\n                            applications will function as intended in an actual emergency.\n\n                            In 2008, we reported that contingency planning at third-party business sites\n                            was inadequate. Staffs were unfamiliar with or had limited knowledge of\n                            contingency planning requirements, and documentation was not readily\n                            available for use in case of emergency. We determined that HUD had not\n                            specified contingency planning, continuity of operations, or disaster recovery\n                            requirements in its agreements with third-party business partners. Such\n                            information is usually included in the terms and conditions of a contract or\n                            service-level agreement with the external business partner. Consequently,\n                            third-party business partners developed limited contingency planning policies\n                            that did not meet HUD or National Institute of Standards and Technology\n                            (NIST) requirements. Management generally agreed that corrective action\n                            was needed, but had not taken action on any of OIG\xe2\x80\x99s recommendations.\n\nThese conditions occurred because management did not consistently enforce policies and procedures and\nHUD had not specified contingency planning, continuity of operations, or disaster recovery requirements\nin its agreements with third-party business partners. Consequently, third-party business partners had\ndeveloped limited contingency planning policies that did not meet HUD or NIST requirements.\n\nOCIO                        Weaknesses still existed in controls over HUD\xe2\x80\x99s physical security.\n\n                            In fiscal year 2008, we reported that physical security at the third-party\n                            business sites we visited was inadequate and weaknesses existed at those\n                            sites. We found instances in which servers were located in common areas\n                            (i.e., lunch rooms, halls), case binders with PII were left unattended, no guard\n                            or receptionist was at the entrance, access doors were unlocked, and\n                            encryption of data residing on laptops or portable devices was not a\n                            requirement.\n\n                            In fiscal year 2009, management generally agreed that corrective action was\n                            needed but had not taken action on any of OIG\xe2\x80\x99s recommendations.\n\nThis condition occurred because HUD had not specified the level of security controls and included it in\nthe terms and conditions of the contract or service-level agreement with the external business partner.\nAs a result, third-party business partners have developed various IT security controls and policies that do\nnot meet HUD or Federal requirements and, therefore, cannot be relied upon to provide adequate\nprotection of HUD\xe2\x80\x99s sensitive data.\n\n\n\n\n                                                 63\n\x0cResponsible office   Nature of the problem\n\nOCIO                 Personnel security weaknesses still existed. Specifically,\n\n                     Since 2004, we have reported that HUD did not have a complete list of all\n                     users with above-read access at the application level. Those users with\n                     above-read access to sensitive application systems are required to have a\n                     background investigation. Our review this year found that HUD still did\n                     not have a central repository that lists all users with access to HUD\xe2\x80\x99s\n                     general support and application systems. Consequently, in fiscal year\n                     2009, HUD still had no central listing for reconciling that all users who\n                     have access to HUD\xe2\x80\x99s critical and sensitive systems have had the\n                     appropriate background investigation.\n\n                     While HUD\xe2\x80\x99s implementation, in 2007, of the Centralized HUD Account\n                     Management Process (CHAMP) was a step toward improving its user\n                     account management practices, CHAMP remained incomplete and does\n                     not fully address OIG\xe2\x80\x99s concerns. Specifically, we noted that\n\n                         \xef\x82\xb7   CHAMP does not contain complete and accurate data. OCIO did\n                             not electronically migrate data from the HUD Online User\n                             Registration System (HOURS) into CHAMP. Instead, it chose to\n                             enter the legacy data manually. However, this process had not\n                             been completed. In a July 2008 audit report, we recommended\n                             that all offices within HUD provide the historical information\n                             necessary to populate CHAMP. OCIO agreed with our\n                             recommendation, and corrective action is scheduled for\n                             completion in December 2009.\n\n                         \xef\x82\xb7   CHAMP does not contain a mechanism to escalate or reassign\n                             tasks that have not been completed within a specified timeframe.\n                             In a July 2008 audit report, we recommended that OCIO develop\n                             and implement such a mechanism. OCIO agreed with the\n                             recommendation, and corrective action is scheduled for\n                             completion in December 2009.\n\n\n\n\n                                         64\n\x0cResponsible office   Nature of the problem\n\n                         \xef\x82\xb7   HUD did not conduct a security categorization and a risk\n                             assessment for CHAMP as required by Federal Information\n                             Processing Standards (FIPS) Publications (PUB) 199 and 200.\n                             HUD\xe2\x80\x99s OCIO chose not to conduct a security categorization and\n                             risk assessment for CHAMP because it believed that these items\n                             were not required for CHAMP, which is listed as a process rather\n                             than a system. HUD also believed that since CHAMP was\n                             exclusively owned by its IT contractor, it was not subject to the\n                             requirements of a security categorization and a risk assessment.\n                             Without a security categorization and risk assessment of CHAMP,\n                             HUD cannot know the full extent of risks that the CHAMP\n                             process is vulnerable to or whether adequate levels of security\n                             controls have been put into place to protect data and applications\n                             impacted by CHAMP. OIG recommended that OCIO conduct a\n                             security categorization and a risk assessment for CHAMP. OCIO\n                             agreed with this recommendation; however, corrective action had\n                             not been taken.\n\n                         \xef\x82\xb7   Reconciliations to identify users with above-read (query) access to\n                             HUD mission-critical (sensitive) applications but without\n                             appropriate background checks were not routinely conducted.\n                             Officials from the Office of Security and Emergency Planning\n                             (OSEP) and OCIO asserted that with the implementation of\n                             CHAMP and the new security manager computer system, it would\n                             be impossible for an employee or contractor to obtain access to\n                             any of HUD\xe2\x80\x99s systems without the appropriate background\n                             investigation. Thus, the reconciliation was no longer needed.\n\n                     Contrary to OSEP and OCIO\xe2\x80\x99s assertions, a reconciliation performed by\n                     OSEP for second quarter 2009 identified 27 persons with the incorrect\n                     level of background investigation, including three persons with no record\n                     of a background investigation having been performed. In addition,\n                     although the HUD Personnel Security/Suitability Handbook contains\n                     policies to suspend, deny, and terminate access of users who do not meet\n                     its standards, we found no evidence that HUD OCIO had taken actions\n                     regarding users without appropriate background investigations having\n                     access to HUD sensitive systems. As a result, HUD could not ensure that\n                     its critical and sensitive information could be protected from unauthorized\n                     access, loss, misuse, modification, or improper disclosure.\n\n\n\n\n                                         65\n\x0cResponsible office        Nature of the problem\n\n                          We remain concerned because the reconciliation included users of only\n                          one of HUD\xe2\x80\x99s mission-critical systems. We previously reported that users\n                          of HUD\xe2\x80\x99s general support systems on which these mission-critical\n                          applications reside were not included in the reconciliations because they\n                          were not classified as mission critical. Having access to general support\n                          systems typically includes access to system tools, which provide the means\n                          to modify data and network configurations. We identified IT personnel,\n                          such as database administrators and network engineers, who have access to\n                          these types of system tools but do not have appropriate background\n                          checks. These persons were not identified as part of the CHAMP\n                          reconciliation process.\n\nThese conditions occurred because management did not consistently enforce policies and procedures.\n\n\n\n\n                                              66\n\x0cAppendix D\n\n              SCHEDULE OF QUESTIONED COSTS\n             AND FUNDS TO BE PUT TO BETTER USE\n\n Recommendation       Ineligible 1/      Unsupported      Unreasonable or     Funds to be put\n     number                                  2/           unnecessary 3/      to better use 4/\n      1.e                                                                         $24.7 M\n      1.g                                                                            $42 M\n      2.a                                                                          $317 M\n      3.a                                                                           $8.8 M\n      3.c                                                                           $4.7 M\n      3.e                                                                         $23.4 M\n      3.g                                                                         $75.3 M\n      3.k                                                                         $20.2 M\n\n\n1/   Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity\n     that the auditor believes are not allowable by law; contract; or Federal, State, or local\n     policies or regulations.\n\n2/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program\n     or activity when we cannot determine eligibility at the time of the audit. Unsupported\n     costs require a decision by HUD program officials. This decision, in addition to\n     obtaining supporting documentation, might involve a legal interpretation or clarification\n     of departmental policies and procedures.\n\n3/   Unnecessary/unreasonable costs are those costs not generally recognized as ordinary,\n     prudent, relevant, and/or necessary within established practices. Unreasonable costs\n     exceed the costs that would be incurred by a prudent person in conducting a competitive\n     business.\n\n4/   Recommendations that funds be put to better use are estimates of amounts that could be\n     used more efficiently if an OIG recommendation is implemented. These amounts include\n     reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by\n     implementing recommended improvements, avoidance of unnecessary expenditures\n     noted in preaward reviews, and any other savings that are specifically identified.\n\n\n\n\n                                             67\n\x0cAppendix E\n             Agency Comments\n\n\n\n\n                   68\n\x0c69\n\x0c70\n\x0cAppendix F\n\n            OIG EVALUATION OF AGENCY COMMENTS\n\nWith the exception of the report\xe2\x80\x99s conclusions related Federal Financial Management\nImprovement Act (FFMIA) compliance, HUD management generally agrees with our\npresentation of findings and recommendations subject to detail comments.\n\nThe disagreements to our FFMIA compliance conclusions related to formula grant reporting and\nHUD\xe2\x80\x99s integrated financial management system. HUD\xe2\x80\x99s Office of Community Planning and\nDevelopment disagrees that their formula grant reporting is not incompliance with FFMIA.\nRegarding overall financial management system compliance with FFMIA, HUD agrees that their\nsystems processes can be more efficiently integrated to eliminate the need for existing\ncompensating controls, but feel the existing environment is substantially compliant and not\nrepresentative of a material risk of misreporting.\n\nWe disagree with HUD\xe2\x80\x99s conclusions regarding FFMIA compliance. In regards to the CPD\nformula grants reporting, while FFMIA requires that budget, performance, and financial\ninformation should be reconcilable to the grant year funds were approved, our reviews indicated\nthat CPD did not record information in a way that allowed such reconciliations. FFMIA\nemphasizes the need for agencies to have systems that are able to generate reliable, useful, and\ntimely information for decision-making purposes and to ensure accountability on an ongoing\nbasis. The deficiencies noted in HUD\xe2\x80\x99s financial management systems are due to the current\nfinancial system being developed prior to the issuance of current requirements. It is also\ntechnically obsolete, has inefficient multiple batch processes, and requires labor-intensive\nmanual reconciliations. Because of these inefficiencies, HUD\xe2\x80\x99s management systems are unable\nto routinely produce reliable, useful, and timely financial information. This weakness manifests\nitself by limiting HUD\xe2\x80\x99s capacity to manage with timely and objective data, and thereby hampers\nits ability to effectively manage and oversee its major programs.\n\nIn addition, HUD is not fully compliant with one of the three indicators of compliance with\nFederal financial management requirements. HUD has significant deficiencies related to security\nover financial management information systems in accordance with FISMA and OMB Circular\nA-130 Appendix III. The Department has not met the minimum set of automated information\nresource controls relating to Entity-wide Security Program Planning and Management.\n\nIn regards to Anti deficiency Act Reporting and Erroneous Payments, we reviewed the\nDepartment\xe2\x80\x99s comments and made clarifying changes to the report.\n\n\n\n\n                                              71\n\x0c"